Bug ID 586056: Machine cert checker doesn't work as expected if issuer or AltName is specified

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1

Fixed In:
11.5.4 HF2

Opened: Apr 07, 2016

Severity: 3-Major

Symptoms

Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert. Logs in client PC can be produced, such as: EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code: and CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""

Impact

User may not pass policy as expected

Conditions

Issuer or Subject AltName fields are populated. Site recently upgraded to 11.5.4.

Workaround

N/A

Fix Information

Now Machine Cert checker correctly processes issuer and SAN fields.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips

Have a question?

About F5

Education

F5 sites

Support Tasks

© F5, Inc. All rights reserved. Policies | Privacy | Trademarks