Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2
Fixed In:
12.1.2 HF1, 11.5.4 HF3
Opened: Jun 14, 2016 Severity: 4-Minor
When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.
A stale key is left on the FIPS card. There is no impact to functionality.
This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions: - Create a key-cert pair - Associate the new key-cert pair with a clientssl profile - Config sync to the peers - Associate the clientssl profile with the default key and cert - Delete the key and cert - Manual sync
Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>
None