Bug ID 704336: Updating 3rd party device cert not copied correctly to trusted certificate store

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
12.1.2, 12.1.3,,,,,, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1, 14.0.0,,,,,, 14.0.1,

Fixed In:

Opened: Jan 30, 2018

Severity: 4-Minor


When a BIG-IP admin updates the Device Certificate which also includes multiple CA intermediate and root certificates, it's expected that the new Device Certificate and its trust chain certificates are written to /config/big3d/client.crt and /config/gtm/server.crt. However, if the new Device Certificate is signed by a third party, only the Device Certificate is copied to client.crt and server.crt, even though root and intermediate certificates are written to /config/httpd/conf/ssl.crt/server.crt.


The Trusted Device and Trusted server Certificates do not include intermediate CA and root certificates.


Updating Device certificate which also includes multiple intermediate and root certificates.


Manually copy/append the missing intermediate and root certificate to /config/big3d/client.crt and /config/gtm/server.crt.

Fix Information

The fix will now add all the intermediate and root certificate including device certificate to Trusted Server and Trusted Device certificate bundle.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips