Forum Discussion

ChadU_140502's avatar
ChadU_140502
Icon for Altostratus rankAltostratus
May 31, 2016

Export a FIPS based CSR (Certificate Signing Request) via iControl

I'm looking for a way to export a CSR via iControl. The key is FIPS based. Is there anyway this can be done through iControl (SOAP or REST)? I know attempting to export the key results in this error: "Cannot export FIPS or netHSM based keys."

 

devops
iControl
iControlREST
  • ChadU_140502's avatar
    ChadU_140502
    Jun 30, 2016

    On 11.5.4 I was able to get a CSR back by sending a tmsh command to create a key and generate a CSR. Here's what it looked like:

     

    POST HTTP/1.1

     

    {"command":"run","utilCmdArgs":"-c 'tmsh create sys crypto key example gen-csr common-name \"Example Inc.\" country \"US\" lifetime 3650 subject-alternative-name \"DNS: DNS:www.example.com\" security-type fips'"}

     

    The commandResponse in the reply included the CSR text.

     

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2016

    Doesn't really matter if its fips or not. The only thing stored in the HSM on a FIPs device is the key material (assuming you flag it as fips).

    I couldn't find any obvious way to get the CSR via native iControl, but this worked:

    curl -sk -u 'admin:admin' -H "Content-Type: application/json" -X POST https://localhost/mgmt/tm/util/bash -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh list sys crypto csr test.csr'\"}" | python -m json.tool
{
    "command": "run",
    "commandResult": "-----BEGIN CERTIFICATE REQUEST-----\nMIICezCCAWMCAQAwJTELMAkGA1UEBhMCVVMxFjAUBgNVBAMTDXJlc3QudGVzdC5j\nb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTs/cs077ZO1kg0CEQ\nO0OOHBCbEKB2TVkVDDyMrdM0LfCApfFbzPIy6/cBeMeqGUFjId/9zHcW3nz1c5kf\nDUoiForim/v0NUoRPYSWxkbLcnlsCVxmHdMJidWPYf6XA5zV2vbEEMuksckwqdpW\nw58QQkcx8RU04OgSO7XVGJNgp59S2xwYRw8Lio7VjPq6Ut7S1o/+2EeRSa/R9Y0O\nTIO11eOsXwk56/D3wPTeG+WXLIqcu+O+bLyIC7JX6f3oV8X6Jc5GVLqOALce04t2\nalbeGbsr9GPNi4Cxo3TixnnW5IQC3FqznNSZ5I1e995KOE+lzFajbMUDtE/K2tD3\nLL6zAgMBAAGgETAPBgkqhkiG9w0BCQ4xAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBt\n1MOQMyT0mFh0iCTEYnaVdsYomEcpu+/bIwmhjub/xgNDXSiOGwmugz30l0U9ZBPG\nHV6I7uxpjNjq9kReLYJNkg2sbhksehpFG4bq2NGpqRIWyYUVmndKYSOd03hIMnpW\n3+/OELGh+97N/lMZF+dnkxrlEsOD2b/aHjouN9RF7qt6S7YLIaOH0FY38Bh/mYsQ\nyIchf+L3pTOLdSZt4RameoKvrDco0yKs3/Yvwf71WE5neXFzQGR8E9225n674Cvi\nAEzH1d3VCjDVKhLuIoCR7H9Li8zPD6MDQZ+dnJReYWMcjXvQCC2i7t3N5Kg5m4ea\nGa41LAZ2+tJ+eaAY0s7Z\n-----END CERTIFICATE REQUEST-----\nsys crypto csr test.csr {\n    challenge-password\n    city\n    common-name rest.test.com\n    country US\n    email-address\n    key-size 2048\n    organization\n    ou\n    public-key-type RSA\n    state\n    subject-alternative-name\n}\n",
    "kind": "tm:util:bash:runstate",
    "utilCmdArgs": "-c 'tmsh list sys crypto csr test.csr'"
}
  • ChadU_140502's avatar
    ChadU_140502
    Icon for Altostratus rankAltostratus
    Jun 30, 2016

    On 11.5.4 I was able to get a CSR back by sending a tmsh command to create a key and generate a CSR. Here's what it looked like:

     

    POST HTTP/1.1

     

    {"command":"run","utilCmdArgs":"-c 'tmsh create sys crypto key example gen-csr common-name \"Example Inc.\" country \"US\" lifetime 3650 subject-alternative-name \"DNS: DNS:www.example.com\" security-type fips'"}

     

    The commandResponse in the reply included the CSR text.