fir3net

PPS-Firenetbanner-780.5x190-30-03-17

  • Home
  • Articles
  • Loadbalancers
  • F5 BIG-IP
  • F5 11.5.x - Client SSL profile cannot contain more than one set of same certificate/key type

F5 11.5.x - Client SSL profile cannot contain more than one set of same certificate/key type

Issue

Starting in BIG-IP 11.5.0, you can associate multiple SSL certificate/key pair types with a single SSL profile. This configuration allows the virtual server to accept SSL connections from clients supporting newer cryptographic algorithms (such as ECC), while continuing to accept connections from clients supporting traditional algorithms[1].

However, with this new feature you are cannot associate multiple certificate/key pairs of the same type within profile. If certificate/key pairs of the same type are assigned to the same SSL Profile this will result in the F5 being unable to load the configuration, and the following error message being returned,

Client SSL profile cannot contain more than one set of same certificate/key type

Solution

To resolve the issue remove the additionally cert/key pair from the SSL Profile, like so,

ltm profile client-ssl /Common/fir3net.com-2016 {
    app-service none
    cert-key-chain {
-       default {
-           cert /Common/default.crt
-           key /Common/default.key
-       }
        fir3net.com-certkey {
            cert /Common/fir3net.com-2016.crt
            chain /Common/VeriSignClass3-InternationalServerCA-G3.crt
            key /Common/fir3net.com-2016.key
        }
    }
    defaults-from /Common/clientssl
}

To validate the configuration against this issue the following command can be used, from with TMSH. This is recommended prior to performing any upgrades from v11.5.x.

load sys config verify

References

[1] https://support.f5.com/kb/en-us/solutions/public/15000/000/sol15062.html

Tags: BIG-IP F5, SSL, Certificates, Key, LTM