BugZero | F5 BugID 794493 - Creating Client SSL profile via tmsh or iControl R...

F5 - Defect ID: 794493

Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

F5 - Defect ID: 794493

Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

Last updated on January 29th, 2026

BugZero Risk Score
6.7 Medium

Overall: 6.7

Severity: 7.3

Community: 4.2

Lifecycle: 7.0

What is the BugZero Risk Score?

F5 Integration

Learn more about where this data comes from

F5 Integration

Learn more

BugZero Plan

Streamline upgrades with automated vendor bug scrubs

BugZero Plan

Learn more

BugZero Prevent

Wish you caught this bug sooner? Get proactive today.

BugZero Prevent

Learn more

Bug Details

Priority: 3-Major
Status: Verified
Impact Category: Local Traffic Manager
Views: 7

Description

Symptoms

Client SSL profiles may have distinct (different from parent profile) certificate and key files, but the 'inherit-certkeychain' attribute set as 'true', even though the profile should not be inheriting these values from parent, for example: ltm profile client-ssl example-prof { cert example.crt cert-key-chain { example{ app-service none cert example.crt chain none key example.key passphrase none } } defaults-from intermediate inherit-certkeychain true key example.key } If multiple profiles are configured for SNI and assigned to a virtual server, attempting to modify the parent profile can result in error: err mcpd[5352]: 0107149e:3: Virtual server /Common/vs_test has more than one clientssl/serverssl profile with same server name.

Impact

Not able to modify SSL profile if profiles assigned to virtual server. If profiles are not configured for SNI, the specified certificate and key on child profiles will be reverted to the values from the parent profile.

Conditions

-- Parent profile other than 'clientssl' -- Have a child profile created by defining 'cert' and 'key' attributes, rather than specifying a 'cert-key-chain', e.g.: tmsh create ltm profile client-ssl example-prof defaults-from intermediate cert example.crt key example.key

Workaround

Create SSL profiles by specifying cert-key-chain, rather than separately specifying 'cert' and 'key' attributes on SSL profile. For profiles that are already affected, you can use either of the following workarounds. Use the GUI: -- Modify profiles using the GUI and check the 'Custom' checkbox for 'Certificate Key Chain'. Change the configuration file: 1. Save the configuration. 2. Open bigip.conf for editing. 3. Modify the affected profiles, changing 'inherit-certkeychain true' to 'inherit-certkeychain false'. 4. Load the configuration.

Fix Information

SSL profiles created specifying certificates and keys in the profile now have inherit-certkeychain set to false.

Change history

2025-04-28 Added: 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Relevant Products

Click on a version to see all relevant bugs

Affected versions:13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed versions: 13.1.3

Relevant Products

Click on a version to see all relevant bugs

Affected versions:13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Fixed versions: 13.1.3

Top F5 Defects

9.7Defect ID: 1505789
VPN connection fails with Edge client 7.2.4.6 with error "Network is vulnerable"
9.4Defect ID: 1785385
Intermittent traffic failures when tenant is running BIG-IP v17.1.2 or above and host is on version prior to F5OS-A 1.8.0 or F5OS-C 1.8.0
9.4Defect ID: 2292013
Admin users cannot create or view virtual servers and other objects in non-Common partitions in TMUI
9.4Defect ID: 2291757
Cannot login through ssh or console after upgrading to 17.5.1.6
9.4Defect ID: 970269
Install fails as lind keeps failing due to "Fatal error: block id new probe failed - device file:/dev/cdrom"

Ready to prevent the next vendor outage?

Get a demo

F5 - Defect ID: 794493

Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

F5 - Defect ID: 794493

Creating Client SSL profile via tmsh or iControl REST and specifying 'cert' and 'key' incorrectly leaves inherit-certkeychain as true

Last updated on January 29th, 2026

BugZero Risk Score6.7 Medium

Bug Details

Symptoms

Impact

Conditions

Workaround

Fix Information

Top F5 Defects

Ready to prevent the next vendor outage?

Links

BugZero Risk Score
6.7 Medium