Bug ID 653201: Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:

Fixed In:, 12.1.2 HF1

Opened: Mar 23, 2017

Severity: 3-Major


The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.


When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.


If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.


You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm' Alternatively, you can use a separate certificate, for example: tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix Information

This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips