Bug ID 492085: Replacing an entry in an SSL profile's certificate-key chain may cause it to be added, not replaced, when synced to other devices

Last Modified: Jul 12, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.5.3, 11.5.2, 11.5.1

Opened: Nov 20, 2014

Severity: 3-Major

Related Article: K33287450


If an entry of a profile's certificate-key chain is replaced, and then a full load sync is performed, then the receiving device will have the newly chosen keypair added to the chain instead of replaced.


If the two keys are of the same type, then it is not deterministic which key will be used, so the SSL handshake might happen with the wrong key.


This issue occurs when all of the following conditions are met: -- You have multiple BIG-IP systems in an HA configuration. -- Your configuration includes one or more virtual servers with an associated client SSL profile. -- You have performed at least one full configuration synchronization (ConfigSync) to the HA peer devices. -- You create or import a new SSL certificate and key pair. -- You perform the following modifications to one or more client SSL profile: + Select the box to allow editing of Certificate Key Chain option. + Select the currently associated SSL certificate and key object. + Select Edit and choose the new SSL certificate and key from the Certificate and Key options. -- Perform a full ConfigSync to the peer HA devices. Note: This issue occurs because both the new and existing SSL certificate / key pairs are associated with the SSL profile on remote BIG-IP HA peers.


Perform the following procedure: 1. Disable full-load-on-sync for the device group. 2. Delete the profile. 3. Perform a sync operation. 4. Create the device group with the new certificate-key chain. 5. Sync again.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips