Is ca-bundle.crt updated when I update BIG-IP ?

Question

I compared ca-bundle.crt on BIG-IP between 11.5.x and 12.1.x. Cause of a problem of client certification auth I faced.&nbsp;
What I found difference is that is following:&nbsp;
BIG-IP 12.1.x (VE) :&nbsp;
7108135 2017-04-29 20:18 /config/ssl/ssl.crt/ca-bundle.crt
BIG-IP 11.5.x (appliance):&nbsp;
3635692 Jan 16  2016 /config/ssl/ssl.crt/ca-bundle.crt
When I update 11.5.x to 12.1.x , the ca-bundle.crt will be replaced newer one ?
 OR
Should I copy the ca-bundle.crt from 12.1.x to 11.5.x?&nbsp;
I need correct GlobalSign Root CA, but a ca-bundle.crt on 11.5.x has duplicated CA inside ( same subject key they have ). Also number of GlobalSign CA on 12.1.x is 9. That is more than 3 on 11.5.x.&nbsp;
Thanks for reading.&nbsp;

iaine · Answer

Hi&nbsp;
Yes, as part of an upgrade the ca-bundle gets updated.  If you want to update without upgrading the OS then there is an iApp available to assist - https://f5.com/solutions/deployment-guides/ca-bundle-iapp-big-ip-v115-v12&nbsp;

Forum Discussion

Is ca-bundle.crt updated when I update BIG-IP ?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Auditing Security Policy Updates

Upcoming Action Required: F5 NGINX Plus R33 Release and Licensing Update

Update your DevCentral user profile

Clouddocs Updates

TMOS Version Update Paths

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS