fir3net
PPS-Firenetbanner-780.5x190-30-03-17
  • Home
  • Articles
  • Loadbalancers
  • F5 BIG-IP
  • F5 11.5.x - Client SSL profile cannot contain more than one set of same certificate/key type

F5 11.5.x - Client SSL profile cannot contain more than one set of same certificate/key type

Issue

Starting in BIG-IP 11.5.0, you can associate multiple SSL certificate/key pair types with a single SSL profile. This configuration allows the virtual server to accept SSL connections from clients supporting newer cryptographic algorithms (such as ECC), while continuing to accept connections from clients supporting traditional algorithms[1].

However, with this new feature you are cannot associate multiple certificate/key pairs of the same type within profile. If certificate/key pairs of the same type are assigned to the same SSL Profile this will result in the F5 being unable to load the configuration, and the following error message being returned,

Client SSL profile cannot contain more than one set of same certificate/key type

Solution

To resolve the issue remove the additionally cert/key pair from the SSL Profile, like so,

ltm profile client-ssl /Common/fir3net.com-2016 {
    app-service none
    cert-key-chain {
-       default {
-           cert /Common/default.crt
-           key /Common/default.key
-       }
        fir3net.com-certkey {
            cert /Common/fir3net.com-2016.crt
            chain /Common/VeriSignClass3-InternationalServerCA-G3.crt
            key /Common/fir3net.com-2016.key
        }
    }
    defaults-from /Common/clientssl
}

To validate the configuration against this issue the following command can be used, from with TMSH. This is recommended prior to performing any upgrades from v11.5.x.

load sys config verify

References

[1] https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html

Tags: BIG-IP F5, SSL, Certificates, Key, LTM

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001