Bug ID 704336: Updating 3rd party device cert not copied correctly to trusted certificate store

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1

Fixed In:
14.1.0, 13.1.1.2, 12.1.3.6

Opened: Jan 30, 2018

Severity: 4-Minor

Symptoms

When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.

Impact

The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.

Conditions

Updating Device certificate which also includes multiple intermediate and root certificates.

Workaround

Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix Information

The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips