Bug ID 633181: A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP TMOS(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1

Opened: Dec 12, 2016

Severity: 4-Minor


Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.


Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.


- Running an affected version of BIG-IP software - Using tmsh or the Configuration Utility to generate the CSR - Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR


Use openssl from the bash command line to generate CSR's. Solution article K14534 contains the appropriate procedure.

Fix Information


Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips