Forum Discussion
NimbostratusDeclaration for loading Cert/PrivKey in Common
Dear F5 enthousiasts,
I want to add a certificate and a private key to my F5 through a AS3 declaration under System > Certificate Management. The certificate must be placed under the /Common partition only, and no path is necessary.
The declaration I created looks as follow:
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"declaration": {
"class": "ADC",
"schemaVersion": "3.45.0",
"id": "import-cert",
"label": "Certificate Import",
"Common": {
"class": "Tenant",
"myCertName": {
"class": "Certificate",
"certificate": {
"base64": "<base64 encoded certificate>"
},
"privateKey": {
"base64": "<base64 encoded private key>"
}
}
}
}
}But when I POST this declaration to my F5 server I get the following message back:
{
"code": 422,
"errors": [
"/Common: should NOT have additional properties"
],
"message": "declaration is invalid",
"host": "localhost",
"tenant": [
"Common:"
],
"declarationId": "import-cert"
}I tried to find answers but cloudn't find anything and I would appreciate help.
Thanks in advance,
Kr
Xavier
Hi,
I don't think it's possible to upload directly to /Common. You can only upload to /Common/Shared (in order to avoid conflicts with manual LTM configuration)
Reference: BIG-IP AS3 Frequently Asked Questions (FAQ)When does BIG-IP AS3 write to the Common partition for LTM configurations?
- As noted above, BIG-IP AS3 only writes to the Common partition when you specifically use /Common/Shared. Otherwise, BIG-IP AS3 does not write to the Common partition for LTM configurations to ensure there is no impact to an existing device configuration where both BIG-IP AS3 and legacy configuration methods are being used
So, using your example declaration, I think you would need to adjust it like so:{ "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json", "class": "AS3", "action": "deploy", "declaration": { "class": "ADC", "schemaVersion": "3.45.0", "id": "import-cert", "label": "Certificate Import", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "myCertName": { "class": "Certificate", "certificate": { "base64": "<base64 encoded certificate>" }, "privateKey": { "base64": "<base64 encoded private key>" } } } } } }
- Blowfish
Hello,
The proposed solution is indeed working—thank you for taking the time to explain it so clearly.
These are my first steps into AS3 declarations, and I can see there’s still a lot for me to learn.
Kind regards,
Xavier
Hi,
1. You have incorrect Placement of Certificate Object:
-
- Issue: Placing the certificate object directly under the Common tenant without an application context.
- Result: Leads to the error /Common: should NOT have additional properties because the certificate object must be within an application.
- Missing Shared Application:
- Issue: Not defining a Shared application within the tenant.
- Result: The declaration is invalid because shared objects like certificates need to be within an application context.
- Incorrect JSON Structure:
- Issue: Any deviation from the correct structure, such as missing braces or incorrect nesting. You have only 5 Curly Brackets in the end , you need 6 curly brackets
- Result: Causes the declaration to be invalid and results in errors.
By following the correct structure, you should be able to successfully deploy the certificate and private key to the /Common partition using AS3.
you should add the following to your code
"Shared": {
"class": "Application",
"template": "shared",Correct AS3 Declaration for Loading a Certificate and Private Key
To add a certificate and private key to the /Common partition using an AS3 declaration, you need to ensure that the structure adheres to the expected schema. Here’s the correct format:
{
"$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json",
"class": "AS3",
"action": "deploy",
"declaration": {
"class": "ADC",
"schemaVersion": "3.45.0",
"id": "import-cert",
"label": "Certificate Import",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"myCertName": {
"class": "Certificate",
"certificate": {
"base64": "<base64 encoded certificate>"
},
"privateKey": {
"base64": "<base64 encoded private key>"
}
}
}
}
}
} ==================>> one EXTRA CURLY Bracket in the last is missing in your configuration, you need 6 instead of 5-
Hi,
I don't think it's possible to upload directly to /Common. You can only upload to /Common/Shared (in order to avoid conflicts with manual LTM configuration)
Reference: BIG-IP AS3 Frequently Asked Questions (FAQ)When does BIG-IP AS3 write to the Common partition for LTM configurations?
- As noted above, BIG-IP AS3 only writes to the Common partition when you specifically use /Common/Shared. Otherwise, BIG-IP AS3 does not write to the Common partition for LTM configurations to ensure there is no impact to an existing device configuration where both BIG-IP AS3 and legacy configuration methods are being used
So, using your example declaration, I think you would need to adjust it like so:{ "$schema": "https://raw.githubusercontent.com/F5Networks/f5-appsvcs-extension/master/schema/latest/as3-schema.json", "class": "AS3", "action": "deploy", "declaration": { "class": "ADC", "schemaVersion": "3.45.0", "id": "import-cert", "label": "Certificate Import", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "myCertName": { "class": "Certificate", "certificate": { "base64": "<base64 encoded certificate>" }, "privateKey": { "base64": "<base64 encoded private key>" } } } } } }
