Bug ID 535122: [tmsh/iCRD/GUI] Do not automatically add extensions to SSL key/cert/crl/csr file objects

Last Modified: May 01, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
10.2.4, 11.0.0, 11.1.0, 11.2.0, 11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed In:
14.0.0

Opened: Jul 25, 2015
Severity: 2-Critical

Symptoms

Using iControl REST's process (iCRD) with 'sys crypto' always fails, and the GUI does not work with SSL file objects created without extensions using tmsh (with 'sys file') during the create process.

Impact

The system creates a file with two extensions, for example, specifying the filename csrname.crt creates a file named csrname.crt.csr in folder /config/ssl/ssl.csr/. -- Using iCRD with 'sys crypto' fails. -- The BIG-IP GUI exhibits the following behavior: + Inconsistently manages those files improperly. + May return errors (e.g., 'An error has occurred while trying to process your request.' or 'No certificate.'). + May confuse two objects (e.g., 'web-server' and 'web-server.crt'). + GUI cannot create an archive (System :: File Management : SSL Certificate List :: Archive) containing one of these files, and reports an error similar to the following: Key management library returned bad status: -2, Not Found.

Conditions

-- Creating SSL certificates/keys/CRL/CSR objects using iControl (with 'sys crypto') or tmsh (with 'sys file'). -- Specifying the file extension associated with the object: .crt/.key/.crl/.csr.

Workaround

When creating SSL-related file objects via tmsh 'sys file' or iCRD with 'sys crypto', do include a file extension (.crt/.key/.crl/.csr) in the object name, even if it is the extension associated with the type of object. This is because the system explicitly adds the appropriate file extension during the create operation for ('sys crypto') but does not add extensions for ('sys file').

Fix Information

tmsh, iCRD, and GUI no longer implicitly add extensions to key/cert/csr/crl file objects to create/query/delete commands. The system will use the exact name/label specified during the create operation.

Behavior Change

tmsh, iControl REST daemon (iCRD), and the GUI no longer implicitly adds extensions to key/cert/csr/crl file objects when using create/query/delete commands, and the system will use the exact name/label specified. For example, if you specify the name 'test' when using tmsh, iCRD, or the GUI to create a key and a certificate, the system will create the key named 'test' and certificate named 'test' (without an extension). Therefore, you must always specify the correct extension for the type of object you are creating. iControl SOAP has no change in behavior with file objects. A new hidden/non-default header was added for KeyManagement iControl SOAP calls, which when provided, makes iControl keymgmt APIs behave like tmsh 'sys crypto' APIs by not implicitly adding extensions. Note that this header is not enabled by default and is currently used by the GUI.