Bug ID 507109: inherit-certkeychain attribute of child Client SSL profile can unexpectedly change during upgrade

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade, LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8

Fixed In:
12.0.0, 11.6.1, 11.5.4

Opened: Feb 13, 2015
Severity: 3-Major
Related AskF5 Article:
K16589

Symptoms

The inherit-certkeychain attribute of a child Client SSL profile can unexpectedly change after upgrade.

Impact

An incorrect cert key chain is used in the profile.

Conditions

This issue occurs when all of the following conditions are met: -- You create a Client SSL profile that does not inherit the certificate, key, and chain certificate settings from the parent profile. -- You upgrade to BIG-IP 11.5.1 (HF6 or later), 11.5.2, 11.5.3, or 11.6.0.

Workaround

Manually edit bigip.conf to contain the correct value. To do so, add the following line into child client ssl profile: inherit-certkeychain false Run the command: tmsh load sys config

Fix Information

The certificate, key, and chain certificate settings in a Client SSL profile no longer change after an upgrade.

Behavior Change