add ssl cert through command line

Hi there,

You can copy the cert/key to the filesystem using SCP. The cert directory is /config/ssl/ssl.crt/ and the key directory is /config/ssl/ssl.key/. You could then define a clientSSL profile which references the crt and key using bigpipe. You might want to create one profile via the GUI with the custom options you want specified and then run 'b profile CLIENTSSL_PROFILE_NAME list' to view how it is set in the configuration. Here's an example of how to run the command via the CLI:

 
 b profile clientssl httpsvip_clientssl {\ 
    defaults from clientssl\ 
    key "httpsvip.example.com.key"\ 
    cert "httpsvip.example.com.crt"\ 
    chain "ca-bundle.crt"\ 
    ca file none\ 
    ciphers "DEFAULT"\ 
    options\ 
       dont insert empty fragments\ 
       no sslv2\ 
    modssl methods disable\ 
    cache size 20K\ 
    cache timeout 3600\ 
    renegotiate period indefinite\ 
    renegotiate size indefinite\ 
    renegotiate max record delay 10\ 
    handshake timeout 60\ 
    alert timeout 60\ 
    unclean shutdown enable\ 
    strict resume disable\ 
    nonssl disable\ 
 } 
 

bigpipe makes the change to the config running in memory. To write the changes to the bigip.conf file, run 'b save'.

You might also want to look into why the GUI is slow. There was a recent post with some suggestions (Click here). Else, you could open a case with F5 Support and ask them to help investigate the issue.

Aaron

Another trick in adding things at the command line I learned is to use the apostrophe to avoid all the backslashes:

 
 b profile cilentssl httpsvip_clientssl '{ 
     defaults from clientssl 
     key ... 
     cert .... 
 }' 
 

That's a keeper. Thanks!

 

 

Aaron

Thanks a bunch.