Bug ID 599191: One of the config-sync scenarios causes old FIPS keys to be left in the FIPS card

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
12.1.2 HF1, 11.5.4 HF3

Opened: Jun 14, 2016

Severity: 4-Minor


When running the tmsh show sys crypto fips command, you notice stale keys that you have previously deleted are left behind on the FIPS card.


A stale key is left on the FIPS card. There is no impact to functionality.


This occurs when you have BIG-IPs with FIPS HSMs, configured in manual sync mode, under the following set of actions: - Create a key-cert pair - Associate the new key-cert pair with a clientssl profile - Config sync to the peers - Associate the clientssl profile with the default key and cert - Delete the key and cert - Manual sync


Check for the handles/key-ids of the keys in configuration using tmsh. Then remove the key that is not in use using the command tmsh delete sys crypto key <keyname>

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips