Issue
When updating the parent profile on a client SSL profile the cert-key-chain settings are inherited from the new parent profile. Even though the cert-key-chain is explicitly configured within the child profile.
Consider the following,
- You have a client SSL profile ‘CLIENTSSL’ with the cert, key and chain configured along with a parent profile set to ‘CLIENTSSL-PARENT’.
- You create a new client SSL profile ‘CLIENTSSL-PARENT-NEW’. The cert-key-chain options are not configured.
- You update your profile ‘CLIENTSSL’ with the new parent profile ‘CLIENTSSL-PARENT-NEW’.
- The child profile ‘CLIENTSSL’ inherits the cert-key-chain options from the parent profile.
- When looking at the configuration of the child profile ‘CLIENTSSL’ you see the command inherit-certkeychain true
ltm profile client-ssl clientssl {
app-service none
cert-key-chain {
default {
cert default.crt
key default.key
}
}
defaults-from clientssl-parent-new
inherit-certkeychain true
}
Work Around
To prevent this behavior create the SSL profile via TMSH and configure the cert-key-chain as none. This ensures that the child profile retains its current cert-key-chain settings and does not inherit them from its new parent.
create ltm profile client-ssl CLIENTSSL-PARENT-NEW cert-key-chain add { none }
Reference
Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.
Latest posts by Rick Donato (see all)
- Fortinet– How to configure NTP on FortiGate - January 13, 2026
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
Want to become an F5 Loadbalancers expert ?
Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial