Forum Discussion

Han_Zhang's avatar
Han_Zhang
Icon for Nimbostratus rankNimbostratus
Aug 09, 2016

Cannot overwrite existing certificate/key using iControl certificate/key import_from_pem calls

I have been testing importing SSL certificate or key from PEM using iControl calls https://devcentral.f5.com/wiki/iControl.Management__KeyCertificate__certificate_import_from_pem.ashx (and key_import_from_pem). The two calls accept a boolean overwrite parameter which supposedly should allow overwriting of existing certificate/key. But this doesn't seem to work, my test Perl script (the actual API call part) looks like this:

    $soapResponse = $KeyCert->certificate_import_from_pem
        (
            SOAP::Data->name(mode => MANAGEMENT_MODE_DEFAULT),
            SOAP::Data->name(cert_ids => [$sCert]),
            SOAP::Data->name(pem_data => [$CertPEM]),
            SOAP::Data->name(overwrite => 1)
        );

I've also tried "true" instead of 1 for the overwrite parameter, neither works, I'm getting errors like this:

01020066:3: The requested Certificate File (/Common/test-cert.crt) already exists in partition Common.

My target is an F5 VM running BigIP v12.1.0, the script works fine when the cert/key didn't already exist on the F5.

  • I can't say what the problem is here, I have done the same using the python bigsuds module without a problem(and in that case, I use True as the parameter, which I don't believe has an equivalent in perl)

     

    However, I want to make you aware that if you are trying to replace both the cert and the key, you are going to run into a problem where when you upload the cert, it errors out because it does not match the current key, and vice versa if you try the key first. This is really only useful if you have renewed a cert using the same private key. I'm not aware of a method for replacing both at the same time, I always end up creating a new one.