Bug ID 701626: GUI resets custom Certificate Key Chain in child client SSL profile

Last Modified: Oct 06, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,, 13.1.0,,,,,

Fixed In:

Opened: Jan 12, 2018
Severity: 3-Major
Related AskF5 Article:


In the GUI, editing a client SSL profile or selecting a different parent profile changes the Certificate Key Chain to default (i.e., /Common/default.crt and /Common/default.key).


The system resets Certificate Key Chain to default, even though the Custom box is checked.


This happens in the following scenario: 1. Using the GUI, create a client SSL profile. 2. Configure the new profile to inherit from a client SSL profile other than the default, clientssl. 3. Click the Custom box for Certificate Key Chain and select a different cert and key from the default. 4. Click Update. 5. In the GUI, change any setting in the newly created profile, or select a different parent profile (but not the clientssl profile). 6. Click Update again.


To work around this issue in the GUI, click the Custom checkbox next to the 'Certificate Key Chain' option in the parent profile. This will set the value of inherit-certkeychain to false , preventing the issue from occurring. You can also use tmsh to update parent profile settings to avoid the occurrence of this issue..

Fix Information

GUI no longer resets custom Certificate Key Chain in child client SSL profiles.

Behavior Change