fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Loadbalancers
  • F5 BIG-IP
  • BIGIP F5 - Changing Parent in SSL Profile Removes Certificate, Key and Chain

BIGIP F5 - Changing Parent in SSL Profile Removes Certificate, Key and Chain

Issue

When updating the parent profile on a client SSL profile the cert-key-chain settings are inherited from the new parent profile. Even though the cert-key-chain is explicitly configured within the child profile.

Consider the following,

  • You have a client SSL profile 'CLIENTSSL' with the cert, key and chain configured along with a parent profile set to 'CLIENTSSL-PARENT'.
  • You create a new client SSL profile 'CLIENTSSL-PARENT-NEW'. The cert-key-chain options are not configured.
  • You update your profile 'CLIENTSSL' with the new parent profile 'CLIENTSSL-PARENT-NEW'.
  • The child profile 'CLIENTSSL' inherits the cert-key-chain options from the parent profile.
  • When looking at the configuration of the child profile 'CLIENTSSL' you see the command inherit-certkeychain true 
ltm profile client-ssl clientssl {
app-service none
cert-key-chain {
default {
cert default.crt
key default.key
}
}
defaults-from clientssl-parent-new
inherit-certkeychain true
}

Work Around

To prevent this behavior create the SSL profile via TMSH and configure the cert-key-chain as none.  This ensures that the child profile retains its current cert-key-chain settings and does not inherit them from its new parent.

 create ltm profile client-ssl CLIENTSSL-PARENT-NEW cert-key-chain add { none }

Reference

SOL16150 - A Client SSL parent profile may unexpectedly override certificate, key, and chain certificate configurations in its child profile

Tags: SSL

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001