Bug ID 706688: Automatically add additional certificates to BIG-IP system in C2S and IC environments

Last Modified: Oct 16, 2023

Affected Product(s):
BIG-IP MA-VE(all modules)

Known Affected Versions:

Fixed In:

Opened: Feb 14, 2018

Severity: 2-Critical


In order to function properly, the BIG-IP system's failover and autoscale features need extra certificates (which are used inside C2S environments) and endpoint URL. The extra certificates must be pointed to by the $AWS_CA_BUNDLE environment variable. The BIG-IP system's failover and autoscale feature use AWS CLI commands. Those AWS CLI commands need to have the $AWS_CA_BUNDLE pointing to the certificate files location and endpoint URL. These must be configured manually.


Requires manual copying of the extra certificates, which are pointed to by AWS_CA_BUNDLE, to the BIG-IP system.


-- BIG-IP is running in AWS C2S (Commercial Cloud Services) where the domain is either c2s.ic.gov or sc2c.sgov.gov. -- The BIG-IP system is configured to do failover or autoscale in those environments.



Fix Information

In this release, you can add all the needed certificates' URLs in the AWS user-data. The BIG-IP system then automatically downloads and stores the certificate and sets the $AWS_CA_BUNDLE environment variable and endpoint-url. To use the functionality, when launching the BIG-IP system from the AWS web console, specify the C2S certificate URL and test URL in the following format: c2s-keys-urls=url1,url2,url3;c2s-cert-test-url=ec2.us-iso-east-1.c2s.ic.gov:443; Where the syntax explanation is as follows: 1. The string literal : c2s-keys-urls= 2. List of comma separated URLs. 3. A semicolon (;). 4. The string literal : c2s-cert-test-url= 5. A URL which is of following format <A service name (e.g., ec2)>.<The region where it is running (e.g., us-iso-east-1)>.<the domain name :443 (e.g., c2s.ic.gov:443)> Example: ec2.us-iso-east-1.c2s.ic.gov:443;

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips