Symptoms
Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example:
ltm profile client-ssl example-prof {
cert example.crt
cert-key-chain {
example{
app-service none
cert example.crt
chain none
key example.key
passphrase none
}
}
defaults-from intermediate
inherit-certkeychain true
key example.key
}
If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error:
err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.
Impact
Not able to modify SSL profile if profiles assigned to virtual server.
If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.
Conditions
-- Parent profile other than 'clientssl'
-- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.:
tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key
Workaround
Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile.
For profiles that are already affected, you can use either of the following workarounds.
Use the GUI:
-- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'.
Change the configuration file:
1. Save the configuration.
2. Open bigip.conf for editing.
3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'.
4. Load the configuration.
Fix Information
SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.
