Bug ID 653201: Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7

Fixed In:
13.1.0.8, 12.1.2 HF1

Opened: Mar 23, 2017
Severity: 3-Major

Symptoms

The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.

Impact

When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.

Conditions

If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.

Workaround

You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm' Alternatively, you can use a separate certificate, for example: tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix Information

This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.

Behavior Change