Last Modified: Jul 12, 2023
Affected Product(s):
BIG-IP Install/Upgrade, LTM
Known Affected Versions:
14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4
Fixed In:
14.1.0, 14.0.0.5
Opened: Aug 24, 2018 Severity: 3-Major
Extra cert-key-chain structure appears in Client SSL profile after upgrade from pre-v14.0.0 versions to v14.0.x. The extra cert-key-chain object with a 'usage CA' attribute appears even when the SSL profile is not configured for SSL forward proxy prior to upgrade. The 'usage CA' cert-key-chain structure is expected when an SSL profile is configured for SSL forward proxy.
-- Extraneous 'usage CA' cert-key-chain entries added to configuration after upgrade.
-- SSL profiles have had their 'proxy-ca-cert' and 'proxy-ca-key' attributes modified (even if simply set to the default value of 'none' explicitly). -- The 'clientssl' built-in profile, if that profile has been modified via the GUI. -- Upgrade from pre-v14.0.0 versions to v14.0.x.
There are two parts to this workaround: one to complete before upgrading and one after. Before Upgrade: Use tmsh to set the 'proxy-ca-cert' and 'proxy-ca-key' attributes values back to their default by specifying the value as 'default-value'. After Upgrade: Perform the following procedure for SSL profiles that are not configured for SSL forward proxy: 1. Delete the extra cert-key-chain objects by doing either a) or b): a) Manually edit the /config/bigip.conf configuration file with a text editor, remove the 'proxy-ca-cert' and 'proxy-ca-key' attributes for those profiles, and save the config b) Assuming no Forward Proxy is in use, run the following command, and then save the config. tmsh modify ltm profile client-SSL all cert-key-chain delete { CA_default } 3. Reload the configuration: tmsh load sys config 4. Check that the config loads correctly and there are no more CA objects: tmsh list ltm profile client-SSL all cert-key-chain | grep CA_default
The system no longer adds an extra cert-key-chain structure in Client SSL profiles after upgrade from pre-v14.0.0 versions.