Last Modified: Mar 20, 2019
See more info
Known Affected Versions:
14.0.0, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206
Opened: Aug 24, 2018
Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.x. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade. The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.
Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.
-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly). -- The 'clientssl' built-in profile, if that profile has been modified via the GUI. -- Upgrade from pre-v14.0.0 versions to v14.0.x.
Before upgrading, use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'. After upgrade on an affected system, for SSL profiles that are not configured for SSL forward proxy: 1. Delete the extra cert-key-chain object. 2. Edit the /config/bigip.conf configuration file with a text editor and remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles. 3. Re-load the configuration using the following command: tmsh load sys config
The system no longer adds an extra cert-key-chain structure in Client SSL profiles after upgrade from pre-v14.0.0 versions.