For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dacrud_18985's avatar
dacrud_18985
Icon for Nimbostratus rankNimbostratus
Sep 18, 2008

add ssl cert through command line

Hi all,     Is there anyway to import an ssl cert, and then add it to a VIP through the command line? The interface seems to take a while.     Thanks!
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Sep 19, 2008
Hi there,

You can copy the cert/key to the filesystem using SCP. The cert directory is /config/ssl/ssl.crt/ and the key directory is /config/ssl/ssl.key/. You could then define a clientSSL profile which references the crt and key using bigpipe. You might want to create one profile via the GUI with the custom options you want specified and then run 'b profile CLIENTSSL_PROFILE_NAME list' to view how it is set in the configuration. Here's an example of how to run the command via the CLI: 

 
 b profile clientssl httpsvip_clientssl {\ 
    defaults from clientssl\ 
    key "httpsvip.example.com.key"\ 
    cert "httpsvip.example.com.crt"\ 
    chain "ca-bundle.crt"\ 
    ca file none\ 
    ciphers "DEFAULT"\ 
    options\ 
       dont insert empty fragments\ 
       no sslv2\ 
    modssl methods disable\ 
    cache size 20K\ 
    cache timeout 3600\ 
    renegotiate period indefinite\ 
    renegotiate size indefinite\ 
    renegotiate max record delay 10\ 
    handshake timeout 60\ 
    alert timeout 60\ 
    unclean shutdown enable\ 
    strict resume disable\ 
    nonssl disable\ 
 }

bigpipe makes the change to the config running in memory. To write the changes to the bigip.conf file, run 'b save'.

You might also want to look into why the GUI is slow. There was a recent post with some suggestions (Click here). Else, you could open a case with F5 Support and ask them to help investigate the issue.

Aaron