Bug ID 520702: Add an option ignore-large-cert-bundles for "tmsh run sys crypto check-cert" to indicate whether to skip large size CA bundles.

Last Modified: Oct 01, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Fixed In:
12.1.0

Opened: Apr 30, 2015
Severity: 4-Minor

Symptoms

The tmsh command "tmsh run sys crypto check-cert" checks the validity of all the certificates and certificate bundles. However it will report the expiration of certificates in the bundle that may be unused. A new option is being added called "ignore-large-cert-bundles" for the command to indicate whether to ignore large certificate bundles (containing more than 20 certificates) during the check.

Impact

N/A

Conditions

N/A

Workaround

None

Fix Information

With this change, "tmsh run sys crypto check-cert ignore-large-cert-bundles enabled" will ignore those certificate bundles with large size (containing more than 20 certificates). "tmsh run sys crypto check-cert ignore-large-cert-bundles disabled" will not ignore anything, i.e., it checks all the certificates and bundles. The default value for ignore-large-cert-bundles is set to disabled. Therefore, the existing command "tmsh run sys crypto check-cert" won't change its existing behavior, i.e., it will still check the complete certificates and bundles.

Behavior Change