Is ca-bundle.crt updated when I update BIG-IP ?

Question

I compared ca-bundle.crt on BIG-IP between 11.5.x and 12.1.x. Cause of a problem of client certification auth I faced.&nbsp;
What I found difference is that is following:&nbsp;
BIG-IP 12.1.x (VE) :&nbsp;
7108135 2017-04-29 20:18 /config/ssl/ssl.crt/ca-bundle.crt
BIG-IP 11.5.x (appliance):&nbsp;
3635692 Jan 16  2016 /config/ssl/ssl.crt/ca-bundle.crt
When I update 11.5.x to 12.1.x , the ca-bundle.crt will be replaced newer one ?
 OR
Should I copy the ca-bundle.crt from 12.1.x to 11.5.x?&nbsp;
I need correct GlobalSign Root CA, but a ca-bundle.crt on 11.5.x has duplicated CA inside ( same subject key they have ). Also number of GlobalSign CA on 12.1.x is 9. That is more than 3 on 11.5.x.&nbsp;
Thanks for reading.&nbsp;

iaine · Answer

Hi&nbsp;
Yes, as part of an upgrade the ca-bundle gets updated.  If you want to update without upgrading the OS then there is an iApp available to assist - https://f5.com/solutions/deployment-guides/ca-bundle-iapp-big-ip-v115-v12&nbsp;

Forum Discussion

Is ca-bundle.crt updated when I update BIG-IP ?

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Auditing Security Policy Updates

Update your DevCentral user profile

Clouddocs Updates

TMOS Version Update Paths

Ansible module to update BIG-IP root/admin passwords