CA Certificate Authorities DST ACES CA X6 - DigiNotar expired

Question

Dears all,&nbsp;
The Certificate Authorities Bundle in the BIG-IP box has a few root/intermediary certificates expired or expiring soon. Some of them are "DigiNotar", "DST ACES CA".&nbsp;
I know that upgrading the box this part will be upgraded as well but I cannot do it because I am migrating everything to a new and more powerful BIG-IP which will take some months. Also the version is higher. OLD BIG-IP is running 11.6.1, new BIG-IP is runnig 12.1.2.&nbsp;
I had a look at this problem around internet and I have found some useful information but I have to still understand how much important is to react on this issue.&nbsp;
On the test-virtual BIG-IP running V11.6.1-Last HF, I have tried to use the iApp template "; as described in "K18929326" but I see that nothing changes. The CA Bundle stays the same and the same certificates are expired.&nbsp;
I have also viewd this K15847 and it says that this problem applyes only to 11.4 version but instead I see that the same certificates (DigiNotar) are expired on the version 11.6.1.&nbsp;
Do you have any suggestion on what I have to do?&nbsp;
Thank you in advance.
Luigi&nbsp;

kevin_k_51432 · Answer

Greetings Luigi,&nbsp;
It may be easier to simply download the most recent CA bundle and associate that with the client SSL profile. If you navigate to downloads, look for "Certificate-Authority-Bundle":&nbsp;
https://downloads.f5.com/esd/productlines.jsp&nbsp;
Alternatively, you can try the workaround in the article you mentioned: K15847.&nbsp;
Hope this is helpful!&nbsp;
Kevin&nbsp;

luigi_bros · Answer

Hi Kevin,&nbsp;
I have done everything in a test Virtual-F5 environment but I can see that there is no way to delete the original ca-bundle and neither is possible to be ovewritten by the new one.
Having a look at configuration "scf" exported I can see that they are referenced by some natively Application Templates.&nbsp;
As a result I have no other choices than leaving the original "ca-bundle" in the big-ip and getting from time to time email alerts saying the a certificate in the original "ca-bundle" is going to expire.&nbsp;
Am I wrong?&nbsp;
Had I better give up and ignore this or there is a way to put everything in order?&nbsp;
Thank you.
luigi_bros&nbsp;

kevin_k_51432 · Answer

Hi Luigi,&nbsp;
The ca-bundle.crt shouldn't take up much disk space, can you leave it on the BIG-IP and reference the newly imported one? Just give it a different name when you import it:&nbsp;
ca-bundle-2017.crt&nbsp;
If you've configured email alerts, you can stop them with the following:&nbsp;
https://support.f5.com/csp/article/K36641730&nbsp;
Hope this is helpful!&nbsp;
Kevin &nbsp;

Forum Discussion

CA Certificate Authorities DST ACES CA X6 - DigiNotar expired

Recent Discussions

BIG-IP Edge Endpoint Inspection Failure pre-VPN

How to export a list of paired external service providers from APM?

How to Renew F5 Device Certificate

BIG IP LTM - Multiple application on single VIP with multiple ports allowed.

Service discovery is not happening in AS3

Related Content

Building an OpenSSL Certificate Authority - Creating Your Root Certificate

Building an OpenSSL Certificate Authority - Creating ECC Certificates

Building an OpenSSL Certificate Authority - Creating Your Intermediary Certificate

JWT authorization with NGINX Ingress Controller

Understanding Server SSL Trusted Certificate Authorities on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS