Bug ID 633181: A CSR generated from Configuration Utility or tmsh may have an empty 'Attributes' or 'Requested Extensions' section

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0, 12.1.2 HF1

Opened: Dec 12, 2016
Severity: 4-Minor

Symptoms

Certificate signing requests generated from the Configuration Utility or in tmsh on affected versions may have an empty 'Attributes' or 'Requested Extensions' section if no data was supplied for these fields during CSR generation. The correct behavior is to supply an empty set (a0:00) for the Attributes section and to omit the 'Requested Extensions' section if no data were supplied for these fields.

Impact

Impact varies according to the CA signing the request. An empty attribute section is generally well-tolerated but may be incompatible with some CA's.

Conditions

- Running an affected version of BIG-IP software - Using tmsh or the Configuration Utility to generate the CSR - Not filling in 'E-mail Address' and/or 'Subject Alternative Name' sections while generating the CSR

Workaround

Use openssl from the bash command line to generate CSR's. Solution article K14534 contains the appropriate procedure.

Fix Information

None

Behavior Change