Forum Discussion

luigi_bros's avatar
luigi_bros
Icon for Nimbostratus rankNimbostratus
Oct 26, 2017

CA Certificate Authorities DST ACES CA X6 - DigiNotar expired

Dears all,   The Certificate Authorities Bundle in the BIG-IP box has a few root/intermediary certificates expired or expiring soon. Some of them are "DigiNotar", "DST ACES CA".   I know that u...
BIG-IP
LTM
security
Kevin_K_51432's avatar
Kevin_K_51432
Historic F5 Account
Oct 26, 2017

Greetings Luigi,

 

It may be easier to simply download the most recent CA bundle and associate that with the client SSL profile. If you navigate to downloads, look for "Certificate-Authority-Bundle":

 

https://downloads.f5.com/esd/productlines.jsp

 

Alternatively, you can try the workaround in the article you mentioned: K15847.

 

Hope this is helpful!

 

Kevin

 

luigi_bros's avatar
luigi_bros
Icon for Nimbostratus rankNimbostratus
Nov 06, 2017

Hi Kevin,

 

I have done everything in a test Virtual-F5 environment but I can see that there is no way to delete the original ca-bundle and neither is possible to be ovewritten by the new one. Having a look at configuration "scf" exported I can see that they are referenced by some natively Application Templates.

 

As a result I have no other choices than leaving the original "ca-bundle" in the big-ip and getting from time to time email alerts saying the a certificate in the original "ca-bundle" is going to expire.

 

Am I wrong?

 

Had I better give up and ignore this or there is a way to put everything in order?

 

Thank you. luigi_bros