Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1
Fixed In:
13.0.0, 12.1.5
Opened: Jun 15, 2016 Severity: 3-Major
When PKCS#12 cert and key are in use by SSL profiles, importing key/cert fails with the below error message: Import Failed: Exception caught in Management::urn:iControl:Management/KeyCertificate::pkcs12_import_from_file_v2() 0107160f:3: Profile /Common/z-cssl's SSL forward proxy CA key and certificate do not match
When PKCS#12 cert and key are in use by SSL profiles, they can not be directly updated (overwritten) using key/cert import.
1. When the cert and key are in the PKCS#12 format. 2. When the cert and key are in use by SSL profiles.
Use tmsh to install the PKCS#12 key. For example, suppose the key/cert to be replaced is called orig.key and orig.crt, it can be overwritten using the below command: tmsh install sys crypto pkcs12 orig from-local-file /shared/eee.pfx
None