Last Modified: May 14, 2019
See more info
Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
13.1.0, 12.1.2 HF1
Opened: Dec 12, 2016
Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.
Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.
- Running an affected version of BIG-IP software - Using tmsh or the Configuration Utility to generate the CSR - Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR
Use openssl from the bash command line to generate CSR's. Solution article K14534 contains the appropriate procedure.