Bug ID 435125: An expired certificate for certificate authority (CA) DigiNotar is included in the BIG-IP system's ca-bundle.crt.

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.4.0, 11.4.1

Fixed In:
11.5.0

Opened: Oct 23, 2013

Severity: 3-Major

Related Article: K15847

Symptoms

An expired certificate for certificate authority (CA) DigiNotar is included in the BIG-IP system's ca-bundle.crt. This certificate was originally removed in BIG-IP 10.2.3 and 11.0.0 HF1, and was inadvertently added in BIG-IP 11.4.0 and 11.4.1. As a result of this issue, you may encounter one or more of the following symptoms: -- Client Web browsers warn of expired intermediate or root certificate. -- Enterprise Manager will warn of expired certificates on managed devices.

Impact

Client Web browsers may receive an SSL pop-up warning when using the ca-bundle.crt. Rogue certificates signed by DigiNotar may be considered valid when using the ca-bundle.crt.

Conditions

DigiNotar appears in ca-bundle.crt.

Workaround

To work around this issue, you can delete the expired CA certificate and import the modified ca-bundle.crt. To do so, perform the following procedures: Impact of workaround: Performing the following procedure should not have a negative impact on your system. Removing the expired CA certificate +++++++++++++++++ 1. Log in to the BIG-IP system command line. 2. Change directories to the /config/ssl/ssl.crt/ directory by typing the following command: cd /config/ssl/ssl.crt/ 3. Back up the original ca-bundle.crt file by typing the following command: cp ca-bundle.crt ca-bundle.crt.SOL15847 4. Using a text editor, open the ca-bundle.crt file. 5. Search the file for the Common Name of the offending certificates: DigiNotar. The ca-bunlde.crt contains two CA certificates by DigiNotar which must be removed. 6. Once you have located the offending certificate, remove it from the file by deleting the following lines, and all lines in between the following: Certificate: -----END CERTIFICATE----- 7. Ensure that both DigiNotar entries have been removed and save the file and exit the editor. Importing the modified ca-bundle.crt +++++++++++++++ 1. Log in to the BIG-IP system command line and type the following command: tmsh 2. Import the modified ca-bundle.crt file by typing the following command: install sys crypto cert ca-bundle-sol15847.crt from-local-file /config/ssl/ssl.crt/ca-bundle.crt 3. Save the configuration by typing the following command: save sys config You can now select the modified CA bundle named ca-bundle-sol15847.crt in the SSL profile. ====================== If you face the log output like following and would like to prevent the log output, perform the following procedures: --------------------------- -- warning tmsh[25123]: 01420007:4: Certificate 'CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL' in file /Common/ca-bundle.crt expired on Dec 16 09:15:38 2015 GMT --------------------------- Impact of workaround: Rebooting the BIG-IP system disrupts traffic processing until the system is back up. 1. Remove the expired CA certificate as described in the earlier procedure. 2. Force mcpd to rebuild the configuration database by running the following command: # touch /service/mcpd/forceload; reboot Note: After you modify and cp/mv the ca-bundle.crt file, Security Context Type should be correct value. For more information, refer to K11455: Moving a file across the BIG-IP file system may cause SELinux to deny access to the file :: https://support.f5.com/csp/article/K11455. Note: Forcing the mcpd process to reload disrupts traffic processing until the system is back up. For more information, refer to K13030: Forcing the mcpd process to reload the BIG-IP configuration :: https://support.f5.com/csp/article/K13030.

Fix Information

CA bundle (ca-bundle.crt) is now updated in the certificate store with the latest available root CA certificates. Expired and rogue certificates (e.g., DigiNotar) are removed in the process.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips