The End of ClientAuth EKU…Oh Mercy…What to do?
If you’ve spent any time recently monitoring the cryptography and/or public key infrastructure (PKI) spaces…beyond that ever-present “post-quantum” thing, you may have read that starting in May of 2026, Google Chrome Root Program Policy will start requiring public certificate authorities (CAs) to stop issuing certificates with the Client Authentication Extended Key Usage (ClientAuth EKU) extension. While removing ClientAuth EKU from TLS server certificates correctly reduces the scope of these certificates, some internal client certificate authenticated TLS machine-to-machine and API workloads could fail when new/renewed certificates are received from a public CA. Read more here for details and options.
Deleting Old Certs
Good day, I know there has been threads on this but none of them have what I am looking for, here is some background on what is going on. We had to upgrade our F5 to 15.1.8, now prior to upgrading we had a few certs that expired, so the thought was lets do the upgrade first then we can remove the expired ccerts. But after the upgrade we attempted to remove the certs first via the GUI System => Certificate Management => searched for expired Cert and checked the box => and clicked on delete but that didn't do anything still there So I tried the command line delete sys file ssl-cert <Cert name> but same results. How do I remove these old certs? Where besides /Common are these files stored? Thank you in advance! WarrenLTM v13: Certificate Archive does not work
Hi all, Anyone who got this to work? https://support.f5.com/csp/article/K146208 I have v13.1.0.2 and try to export certificates as a *.tgz but I get the following error: Key management library returned bad status: -99, Internal Error; connection not set and no session from which to get it So it is not possible to export the certs anymore 😞 Any hints are welcome! Thanks, Peter
character limit f5 subject alternative name
Guys I am having issue creating .csr in f5. Do we have limit on character for Subject Alternative names? we have 1111 characters including spaces on Subject alternative name however it has an error " error occurred while processing your request". But when I delete few domains about 2 it was successful :( Please help Thanks
CRYPTO::encrypt import key or cert from SSL Certificate List
Hello, I use the CRYPTO::encrypt funktion an it works very well. But it is needed to write the private key in the iRule. If there a way to import the private key or certificate direct from "SSL Certificate List" or read in as file? Thanks for your help.
Validating SSL certificate
I am doing some certificate validations, 1. I need to validate the client is presenting a certificate, I realize I can require it in the clientssl profile, but I have no log entry if I get a failed request. So I would like to do this in the irule that does the other validations based on the subject_dn, 2. I am having trouble finding information on some sample rule commands, what is: [SSL::cert 0] also is SSL::cert count - what is that counting? 3. Do I want to evaluate this at CLIENTSSL_HANDSHAKE or CLIENTSSL_CLIENTCERT Also this is not HTTP traffic.
TFS Load balancing using 2 LTM and a GTM. Where to install the certificate?
I have a 2 app server (IIS) TFS infra, where i have configured 2 LTM and a GTM. Everything seems to be working fine, other than the GTM url is not secured. My question is, where do i install the certificate? is it in the IIS server where the application is running or somewhere in GTM? do i need the cert to contain all the cnames into it as alaises?troubleshooting serverssl profile with client cert..
Hi all! We have a virtualserver with a serverssl profile configured with a client cert. According to the technician working with the backend nginx node they´re not getting the client cert. Does anyone know a good way for us to verify that the cert is there or not? Would a tcpdump be sufficient? /Kim
