Issue
When updating the parent profile on a client SSL profile the cert-key-chain settings are inherited from the new parent profile. Even though the cert-key-chain is explicitly configured within the child profile.
Consider the following,
- You have a client SSL profile ‘CLIENTSSL’ with the cert, key and chain configured along with a parent profile set to ‘CLIENTSSL-PARENT’.
- You create a new client SSL profile ‘CLIENTSSL-PARENT-NEW’. The cert-key-chain options are not configured.
- You update your profile ‘CLIENTSSL’ with the new parent profile ‘CLIENTSSL-PARENT-NEW’.
- The child profile ‘CLIENTSSL’ inherits the cert-key-chain options from the parent profile.
- When looking at the configuration of the child profile ‘CLIENTSSL’ you see the command inherit-certkeychain true
ltm profile client-ssl clientssl { app-service none cert-key-chain { default { cert default.crt key default.key } } defaults-from clientssl-parent-new inherit-certkeychain true }
Work Around
To prevent this behavior create the SSL profile via TMSH and configure the cert-key-chain as none. This ensures that the child profile retains its current cert-key-chain settings and does not inherit them from its new parent.
create ltm profile client-ssl CLIENTSSL-PARENT-NEW cert-key-chain add { none }
Reference
Latest posts by Rick Donato (see all)
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an F5 Loadbalancers expert?
Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial