SSL certs reset to default on 12.1.3 with client profile change

This seems very familiar. It can be fixed permanently with a one-time effort.

During software upgrade, boolean value of

inherit-certkeychain

of your custom clientssl profiles may get tampered. Last time I upgraded, this bug only affected custom clientssl profiles where one or more settings were derived from another custom clientssl profile. In my experience, this bug has never affected custom clientssl profiles that only inherit settings from the system-default

clientssl

profile.

Fix:

1. Take raw backup of current bigip.conf file:

   cp /config/bigip.conf /var/tmp/bigip.conf.bak

2. Open up

   /config/bigip.conf

   with vi or alternative, and search for

   inherit-certkeychain

   keyword occurrences. For every custom clientssl profile that should use their own dedicated certificate/key pairs, replace configuration line that says

   inherit-certkeychain true

   with

   inherit-certkeychain false

   . (If the broken profile does not have inherit-certkeychain line in it's configuration, then add it yourself and make sure it's value is "false")
3. Save changes to /config/bigip.conf and load in new configuration to TMOS with

   tmsh load sys config

   .

Now you can implement changes to your clientssl profiles via GUI normally.

Note: This can be implemented on a live production system with no negative impact. But there's substantial risk of messing up configuration. Do your own due diligence during low activity hours with just 1 profile, or ideally test everything in a testing environment.

Regards,