Forum Discussion

Faintly_Lucky's avatar
Faintly_Lucky
Icon for Nimbostratus rankNimbostratus
May 08, 2010

Command-line renewal of certs

Hi all:

 

I manage quite a few F5s for different customers as part of my job. One of the main things that I do for them is generate CSRs for new certs or renewals and send them to the customers so they can get them signed and back to me to import. I'm sure you can imagine that it's rather time consuming to point and click when I can and have written a script that will do everything but send the request off for me. I have to use a jump host to access all of my customers' F5s, so it'd be really nice to be able to do renewals from the jump host that I have to use with a few keystrokes like I do with new requests. I'm aware of the gencert utiility, which I use for new requests, but I need to be able to generate CSRs command-line using an existing key like you can through the WebUI. I've done some research and searching around and the OpenSSL utility *appears* to be the one that I should use for this, but I haven't been able to find anything that specifically says "for command-line cert renewal (using an existing key), run utility x with these options." The fact that I haven't found something like this is probably due to a PEBKAC error, so I figured I would just ask rather than continuing to beat my head against the wall as I'm pretty sure that someone here has already asked this question.

 

Thanks in advance,

 

Lucky

 

management
monitoring
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    May 09, 2010
    I can see two (Possibly more) ways of doing this.

     

     

    1. Possibly unsupported, use the command line openssl commands to create a new CSR from a key (FWIW Id recommend using a NEW key rather than generating a CSR from an existing key. You really want to increase to at least a 2048 bit keylength currently).

     

     

    2. iControl has a certificate interface API in it for doing this... Under Management.

     

     

    Possibly tmsh also has a method of doing this (I haven't looked). I'm not sure that the bigpipe command has a certificate interface. I've never tried (I usually hand certificate management over and a lot of places just prefer a nice GUI).

     

     

     

    H
  • Faintly_Lucky's avatar
    Faintly_Lucky
    Icon for Nimbostratus rankNimbostratus
    May 10, 2010
    Hamish:

     

    I'm definitely aware that key lengths need to start increasing, but my customers only occasionally take my recommendations, so we'll see what they say about this. I couldn't find anything in the bigpipe utility that looks like it'll work, so I'll try out the OpenSSL utility and see what I get.

     

    Thanks for helping out.

     

    Lucky
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 11, 2010
    Currently, LTM only supports up to 2048 bit SSL keys for client and server SSL profiles:

     

     

     

    SOL10580: The BIG-IP Client SSL and Server SSL profiles support SSL key sizes up to 2048 bits

     

    https://support.f5.com/kb/en-us/solutions/public/10000/500/sol10580.html

     

     

    F5 Networks is tracking an enhancement request to support 4096 bit SSL keys as CR124105, and to prevent the import of 4096 bit keys as CR86890.

     

     

     

    Aaron