{"id":1031,"date":"2016-10-12T20:00:00","date_gmt":"2016-10-12T20:00:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2016\/10\/12\/f5-11-5-x-client-ssl-profile-cannot-contain-more-than-one-set-of-same-certificate-key-type\/"},"modified":"2023-02-24T12:59:43","modified_gmt":"2023-02-24T12:59:43","slug":"f5-11-5-x-client-ssl-profile-cannot-contain-more-than-one-set-of-same-certificate-key-type","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Loadbalancers\/F5-BIG-IP\/f5-11-5-x-client-ssl-profile-cannot-contain-more-than-one-set-of-same-certificate-key-type.html","title":{"rendered":"F5 11.5.x: Client SSL profile cannot contain more than one set of same certificate\/key type"},"content":{"rendered":"
Starting in BIG-IP 11.5.0, you can associate multiple SSL certificate\/key pair types with a single SSL profile. This configuration allows the virtual server to accept SSL connections from clients supporting newer cryptographic algorithms (such as ECC), while continuing to accept connections from clients supporting traditional algorithms[1]<\/sup>.<\/p>\n However, with this new feature you are cannot associate multiple certificate\/key pairs of the same type within profile. If certificate\/key pairs of the same type are assigned to the same SSL Profile this will result in the F5 being unable to load the configuration, and the following error message being returned,<\/p>\n To resolve the issue remove the additionally cert\/key pair from the SSL Profile, like so,<\/p>\n To validate the configuration against this issue the following command can be used, from with TMSH. This is recommended prior to performing any upgrades from v11.5.x.<\/p>\n [1] https:\/\/support.f5.com\/kb\/en-us\/solutions\/public\/15000\/000\/sol15062.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Issue Starting in BIG-IP 11.5.0, you can associate multiple SSL certificate\/key pair types with a single SSL profile. This configuration allows the virtual server to accept SSL connections from clients supporting newer cryptographic algorithms (such as ECC), while continuing to accept connections from clients supporting traditional algorithms[1]. However, with this new feature you are cannot … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":857,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"yoast_head":"\nClient SSL profile cannot contain more than one set of same certificate\/key type<\/pre>\n
Solution<\/h2>\n
ltm profile client-ssl \/Common\/fir3net.com-2016 {\r\n app-service none\r\n cert-key-chain {\r\n- default {\r\n- cert \/Common\/default.crt\r\n- key \/Common\/default.key\r\n- }\r\n fir3net.com-certkey {\r\n cert \/Common\/fir3net.com-2016.crt\r\n chain \/Common\/VeriSignClass3-InternationalServerCA-G3.crt\r\n key \/Common\/fir3net.com-2016.key\r\n }\r\n }\r\n defaults-from \/Common\/clientssl\r\n}<\/pre>\n
load sys config verify<\/pre>\n
References<\/h2>\n