BIGIP F5: SSL Profile Changing Parent Removes Certificate, Key & Chain

Issue

When updating the parent profile on a client SSL profile the cert-key-chain settings are inherited from the new parent profile. Even though the cert-key-chain is explicitly configured within the child profile.

Consider the following,

  • You have a client SSL profile ‘CLIENTSSL’ with the cert, key and chain configured along with a parent profile set to ‘CLIENTSSL-PARENT’.
  • You create a new client SSL profile ‘CLIENTSSL-PARENT-NEW’. The cert-key-chain options are not configured.
  • You update your profile ‘CLIENTSSL’ with the new parent profile ‘CLIENTSSL-PARENT-NEW’.
  • The child profile ‘CLIENTSSL’ inherits the cert-key-chain options from the parent profile.
  • When looking at the configuration of the child profile ‘CLIENTSSL’ you see the command inherit-certkeychain true
ltm profile client-ssl clientssl {
    app-service none
    cert-key-chain {
        default {
        cert default.crt
        key default.key
        }
     }
     defaults-from clientssl-parent-new
     inherit-certkeychain true
}

Work Around

To prevent this behavior create the SSL profile via TMSH and configure the cert-key-chain as none.  This ensures that the child profile retains its current cert-key-chain settings and does not inherit them from its new parent.

 create ltm profile client-ssl CLIENTSSL-PARENT-NEW cert-key-chain add { none }

Reference

SOL16150 – A Client SSL parent profile may unexpectedly override certificate, key, and chain certificate configurations in its child profile

Rick Donato

Want to become an F5 Loadbalancers expert?

Here is our hand-picked selection of the best courses you can find online:
F5 BIG-IP 101 Certification Exam – Complete Course
F5 BIG-IP 201 Certification Exam – Complete Course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial