Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IQ Platform
Known Affected Versions:
5.4.0, 6.0.1, 6.0.1.1, 6.0.1.2, 6.1.0, 7.0.0, 7.0.0.1, 7.0.0.2, 7.1.0, 7.1.0.1, 7.1.0.2, 7.1.0.3, 7.1.6, 7.1.6.1, 7.1.7, 7.1.7.1, 7.1.7.2, 7.1.8, 7.1.8.1, 7.1.8.2, 7.1.8.3, 7.1.8.4, 7.1.8.5, 7.1.9, 7.1.9.7, 7.1.9.8, 7.1.9.9
Opened: Sep 06, 2018 Severity: 4-Minor
"tmsh run sys crypto check-cert" command reports expired certificates on BIG-IQ.
There is no impact besides the warning. A different default certificate bundle is used for verifying certificates than the one reported by the "tmsh run sys crypto check-cert" call. The tmsh command is meant to run on BIG-IP and does not check the correct certs on BIG-IQ.
"tmsh run sys crypto check-cert" command is run on BIG-IQ
Do not use the "tmsh run sys crypto check-cert" command on the BIG-IQ. The cacerts truststore under /usr/lib/jvm/java-1.8.0.141-3.b16.el6_9.x86_64/jre/lib/security (in 5.4, 6.0.0, 6.0.1 and 6.1.0) contains the default ca certs, and the SSL Certificate Verification settings list the custom certs for validating when using provided certs for validation. Expiration dates for those certs are presented in the grid of the certs imported for verifying hosts. To view the details of the certs in the cacerts store, use the keytool tool from the command line: /usr/lib/jvm/java-1.8.0.141-3.b16.el6_9.x86_64/jre/bin/keytool -list -v -keystore /usr/lib/jvm/java-1.8.0.141-3.b16.el6_9.x86_64/jre/lib/security/cacerts You will need the password for the store, which is likely the default: changeit Note that this default truststore will likely be updated in some subsequent BIG-IQ release.
None