Bug ID 653201: Update the default CA certificate bundle file to the latest version and remove expiring certificates from it

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 13.1.0,,,,,,,

Fixed In:, 12.1.2 HF1

Opened: Mar 23, 2017
Severity: 3-Major


The default CA certificate bundle file used by the system contains some older certificates, e.g., expired or soon-to-be expired.


When the built-in trusted certificates are obsolete, i.e., containing a certain number of expired certificates, the systems might fail to verify peers certificate correctly.


If the default CA certificate bundle file is configured in SSL profiles, it is used as a set of built-in trusted certificates when verifying peer's certificate during SSL handshake.


You can either directly update the default CA certificate bundle file /config/ssl/ssl.crt/ca-bundle.crt with proper certificates and then 'bigstart restart tmm' Alternatively, you can use a separate certificate, for example: tmsh install sys crypto cert better_ca_bundle from-local-file /shared/better_ca_bundle.pem tmsh modify ltm profile client-ssl cssl ca-file better_ca_bundle.crt

Fix Information

This release updates the default CA certificate bundle file by adding the latest certificates and removing the expired certificates.

Behavior Change