For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

luigi_bros's avatar
luigi_bros
Icon for Nimbostratus rankNimbostratus
Oct 26, 2017

CA Certificate Authorities DST ACES CA X6 - DigiNotar expired

Dears all,

 

The Certificate Authorities Bundle in the BIG-IP box has a few root/intermediary certificates expired or expiring soon. Some of them are "DigiNotar", "DST ACES CA".

 

I know that upgrading the box this part will be upgraded as well but I cannot do it because I am migrating everything to a new and more powerful BIG-IP which will take some months. Also the version is higher. OLD BIG-IP is running 11.6.1, new BIG-IP is runnig 12.1.2.

 

I had a look at this problem around internet and I have found some useful information but I have to still understand how much important is to react on this issue.

 

On the test-virtual BIG-IP running V11.6.1-Last HF, I have tried to use the iApp template "; as described in "K18929326" but I see that nothing changes. The CA Bundle stays the same and the same certificates are expired.

 

I have also viewd this K15847 and it says that this problem applyes only to 11.4 version but instead I see that the same certificates (DigiNotar) are expired on the version 11.6.1.

 

Do you have any suggestion on what I have to do?

 

Thank you in advance. Luigi

 

BIG-IP
LTM
security

3 Replies

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Oct 26, 2017

    Greetings Luigi,

     

    It may be easier to simply download the most recent CA bundle and associate that with the client SSL profile. If you navigate to downloads, look for "Certificate-Authority-Bundle":

     

    https://downloads.f5.com/esd/productlines.jsp

     

    Alternatively, you can try the workaround in the article you mentioned: K15847.

     

    Hope this is helpful!

     

    Kevin

     

    • luigi_bros's avatar
      luigi_bros
      Icon for Nimbostratus rankNimbostratus
      Nov 06, 2017

      Hi Kevin,

       

      I have done everything in a test Virtual-F5 environment but I can see that there is no way to delete the original ca-bundle and neither is possible to be ovewritten by the new one. Having a look at configuration "scf" exported I can see that they are referenced by some natively Application Templates.

       

      As a result I have no other choices than leaving the original "ca-bundle" in the big-ip and getting from time to time email alerts saying the a certificate in the original "ca-bundle" is going to expire.

       

      Am I wrong?

       

      Had I better give up and ignore this or there is a way to put everything in order?

       

      Thank you. luigi_bros

       

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account
      Nov 06, 2017

      Hi Luigi,

       

      The ca-bundle.crt shouldn't take up much disk space, can you leave it on the BIG-IP and reference the newly imported one? Just give it a different name when you import it:

       

      ca-bundle-2017.crt

       

      If you've configured email alerts, you can stop them with the following:

       

      https://support.f5.com/csp/article/K36641730

       

      Hope this is helpful!

       

      Kevin

       

Related Content