Bug ID 701626: GUI resets custom Certificate Key Chain in child client SSL profile

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
12.1.3,,,, 13.1.0,,,,,

Fixed In:

Opened: Jan 12, 2018

Severity: 3-Major

Related Article: K16465222


In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).


The system resets Certificate Key Chain to default, even though the Custom box is checked.


This happens in the following scenario: 1. Using the GUI, create a client SSL profile. 2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl. 3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default. 4. Click Update. 5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile). 6. Click Update again.


To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring. You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix Information

GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips