Forum Discussion

epaalx's avatar
epaalx
Icon for Cirrus rankCirrus
Sep 21, 2017

Inherit cert-key-chain and cipher from another client-ssl profile in existing profile

I have a populated client-ssl profile which I don't want to delete (because it's referenced by production VSs) but I want to substitute all of its contents (particularly, "cert-key-chain" and "cipher" attributes) with those of another profile (which I expect to do using "defaults-from" attribute).

I've attempted:

 modify /ltm profile client-ssl clientssl_vshttpserver_2480_2s defaults-from QuoVadis_wildcard_XX_edu_au2 cert-key-chain delete {QuoVadis_wildcard_XX_edu_au}

but get error:

010717e2:3: Client SSL profile must have at least one set of certificate/key.

I can do it via Configuration Utility (by unchecking "Certificate Key Chain" and "Ciphers" sections), but (for logistical reasons) I need to achieve this task using TMSH.

Advice?

application delivery
LTM

2 Replies

Sort By
  • epaalx's avatar
    epaalx
    Icon for Cirrus rankCirrus
    Oct 02, 2017

    Confirmed by F5 Support - it cannot be done.

    Best work-around is to manually edit configuration file to force change 

    inherit-certkeychain
    to 
    true
    - K16589

  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Mar 23, 2018

    Actually we are talking about the client-ssl profile property of 

    inherit-certkeychain
    . It might be set to the following values: * false * true When trying to use tmsh to modify the value it´s very likely to get an error message ("read only property"). Changing it for the parent profile via WebUI or config file as proposed by epaalx (+1) is the workaround. It seems to be mandatory in v12.1.3 to set 
    inherit-certkeychain false
    for the parent to make sure the specific cert-key-chain in a child profile will be displayed and applied. Otherwise it might be overwritten by the cert-key-chain of the parent. The same setting has to be used in the child profile. Cheers, Stephan