Bug ID 741599: After upgrade, Client SSL profile may have extra cert-key-chain structure

Last Modified: Mar 20, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:

Fixed In:

Opened: Aug 24, 2018
Severity: 3-Major


Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.x. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade. The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.


Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.


-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly). -- The 'clientssl' built-in profile, if that profile has been modified via the GUI. -- Upgrade from pre-v14.0.0 versions to v14.0.x.


Before upgrading, use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'. After upgrade on an affected system, for SSL profiles that are not configured for SSL forward proxy: 1. Delete the extra cert-key-chain object. 2. Edit the /config/bigip.conf configuration file with a text editor and remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles. 3. Re-load the configuration using the following command: tmsh load sys config

Fix Information

The system no longer adds an extra cert-key-chain structure in Client SSL profiles after upgrade from pre-v14.0.0 versions.

Behavior Change