Cirrus

Jun 01, 2021

Extract content of Certificate key file with REST or Ansible

Hi Community,

I'm working on an automation for renewing Certificates on multiple BIG-IP's using Ansible.

As not all available Ansible F5 modules provide what is required, I'm currently using a mix of modules and REST calls (which is call from Ansible).

F5 Module Index

What works so far is:

Create new CSR/Key on BIG-IP
Get new "CA based" Cert and upload to the BIG-IP
Upload the same Cert to other BIG-IP's
Update SSL profiles on multiple BIG-IP's
and some others tasks, like irules..etc

Anyhow, what doesnt work so far is to get the content of the key which was created on the first device together with the CSR. Basically I dont have the key which needs to be uploaded to the other BIG-IP's as well.

From the CLI, the following gives me what I need:

cat /config/filestore/files_d/Common_d/certificate_key_d/*name.key*

The problem with this is, I cant integrate it in Ansible using the bigip_command – Run TMSH and BASH commands on F5 devices module. Looks like only tmsh commands are supported even though it states BASH as well. Plus I try to avoid using this module whenever possible in a first place.

Through the GUI, simple export and import on an other device - done, but obviously not automated.

I have tried all possible Ansible modules as well as REST calls, but dont get the content out of the .key file.

I thought that this would/should be a simple tasks. If anyone's done this using any approach please share.

I could create a new key and get a cert for each device, but first try to find out if there's another way.

Thanks in advance,

Stefan

4 Replies

Daniel_Wolf
MVP
Jun 02, 2021
Hi Stefan,

I guess using SOAP is not an option: https://clouddocs.f5.com/api/icontrol-soap/Management__KeyCertificate.html ?

Another option, but that is also sort of working around the problem, you can download files like described here: https://support.f5.com/csp/article/K41763344#download_generic
Means the private key file must exist in https://<ip address>/mgmt/shared/file-transfer/uploads/<filename>, maybe as a copy.

KR
Daniel
- Stefan_Engel
  Cirrus
  Jun 04, 2021
  Thanks Daniel.
  https://support.f5.com/csp/article/K41763344#download_generic might work, but not supported in v15.x.x or later anymore.
  I solved it like this..may not the prettiest, but works:
  - name: Extract Certificate Private Key raw: cat /config/filestore/files_d/Common_d/certificate_key_d/\:Common:vanity_{{request_id}}.key* register: vanity_key become: yes delegate_to: "{{ provider.server }}" vars: ansible_ssh_user: "{{ provider.user }}" ansible_ssh_pass: "{{ provider.password }}" - name: Import Cert Key bigip_ssl_key: name: "vanity_{{ request_id }}" state: present content: "{{ vanity_key.stdout }}" provider: "{{ provider }}"

StephanManthey

Nacreous

Jul 08, 2021

Exporting key material is not supported as far as I know. Using the CLI is the only option I am aware of.

Only a CSR can be exported.

Creating a CSR:

- name: create string of subject alternative names when defined in inventory
  set_fact:
    san_list: "{{ san_list | default([]) + ['DNS:%s' | format(item.name)] }}"
  with_items: "{{ hostvars[inventory_hostname].certificates.server[0].subject_alternative_names | selectattr('name', 'defined') | list }}"
  when: hostvars[inventory_hostname].certificates.server[0].subject_alternative_names is defined
 
- name: add signing request name and properties to data structure
  set_fact:
    csr_data: "{{ {
        'csr_consumer': 'ltm',
        'csr_prefix': 'cert',
        'csr_suffix': device_info[inventory_hostname].ansible_host_time,
        'csr_name': hostvars[inventory_hostname].certificates.server[0].name,
        'csr_cn': hostvars[inventory_hostname].certificates.server[0].subject.common_name,
        'csr_san': san_list | default(['DNS:%s' | format(hostvars[inventory_hostname].certificates.server[0].name)]) | join(','),
        'csr_country': hostvars[inventory_hostname].certificates.server[0].subject.location_country | default('US'),
        'csr_state': hostvars[inventory_hostname].certificates.server[0].subject.location_state | default(''),
        'csr_city': hostvars[inventory_hostname].certificates.server[0].subject.location_city | default(''),
        'csr_organization': hostvars[inventory_hostname].certificates.server[0].subject.organization_name | default(''),
      } }}"
    
- name: create certificate signing request on load balancer
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/csr
    method: POST
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body_format: json
    body:
      'name': "{{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }}"
      'key': "{{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }}"
      'common-name': "{{ csr_data.csr_cn }}"
      'subject-alternative-name': "{{ csr_data.csr_san }}"
      'country':  "{{ csr_data.csr_country }}"
      'state': "{{ csr_data.csr_state }}"
      'city': "{{ csr_data.csr_city }}"
      'organization': "{{ csr_data.csr_organization }}"
      'consumer': "{{ csr_data.csr_consumer }}"
  register: result
  until: result.status == 200
  retries: 40
  delay: 5
  when: csr_data is defined

Exporting a CSR:

- name: add certificate signing request name to data structure
  set_fact:
    csr_data: "{{ {
        'csr_prefix': 'cert',
        'csr_suffix': device_info[inventory_hostname].ansible_host_time,
        'csr_name': hostvars[inventory_hostname].certificates.server[0].name,
        'csr_file_extension': 'csr'
      } }}"
      
- name: debug data
  debug: 
    msg: "{{ csr_data }}"
    
- name: export certificate signing request
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/util/bash
    method: POST
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body_format: json
    body:
      command: run
      utilCmdArgs: "-c 'tmsh list sys crypto csr {{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }} | sed -re \'/-----/,/-----/!d\''"
  register: csr_result
  
- name: debug data
  debug:
    msg: "{{ csr_result.json.commandResult }}"
    
- name: save certificate signing request to local file and replace encoded new line characters
  copy:
    content: "{{ csr_result.json.commandResult | regex_replace('\\n', '\n') }}"
    dest: "{{ '~/ssl/server/csr/%s.%s' | format(csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix, csr_data.csr_file_extension) }}"
    force: yes

Uploading all key material:

- name: register cert file properties
  stat:
    path: "{{ crt_file_path }}"
  register: crt_properties
  when: crt_file_path is defined
  
- name: set certificate file size information
  set_fact:
    crt_file_size: "{{ crt_properties.stat.size }}"
  when: crt_properties is defined
  
- name: register key file properties
  stat:
    path: "{{ key_file_path }}"
  register: key_properties
  when: key_file_path is defined
  
- name: set key file size information
  set_fact:
    key_file_size: "{{ key_properties.stat.size }}"
  when: key_properties is defined
  
- name: register chain file properties
  stat:
    path: "{{ chain_file_path }}"
  register: chain_properties
  when: chain_file_path is defined
  
- name: set chain file size information
  set_fact:
    chain_file_size: "{{ chain_properties.stat.size }}"
  when: chain_properties is defined
  
- name: copy certificate to temp directory
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/shared/file-transfer/uploads/{{ crt_file_name }}
    method: POST
    headers:
      Content-Range: "0-{{ crt_file_size | int - 2 }}/{{ crt_file_size }}"
      Content-Type: "application/octet-stream"
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body: "{{ lookup('file', crt_file_path) }}"
    
- name: copy key to temp directory
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/shared/file-transfer/uploads/{{ key_file_name }}
    method: POST
    headers:
      Content-Range: "0-{{ key_file_size | int - 2 }}/{{ key_file_size }}"
      Content-Type: "application/octet-stream"
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body: "{{ lookup('file', key_file_path) }}"
    
- name: copy chain to temp directory
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/shared/file-transfer/uploads/{{ chain_file_name }}
    method: POST
    headers:
      Content-Range: "0-{{ chain_file_size | int - 2 }}/{{ chain_file_size }}"
      Content-Type: "application/octet-stream"
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body: "{{ lookup('file', chain_file_path) }}"
    
- name: copy certificate to TMOS filestore (TMOS v14+)
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/cert
    method: POST
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body_format: json
    body:
      command: install
      name: "{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}"
      from-local-file: "/var/config/rest/downloads/tmp/{{ '%s_%s_%s.%s' | format(crt_prefix,crt_name,crt_suffix,crt_file_extension) }}"
      
- name: copy key to TMOS filestore (TMOS v14+)
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/key
    method: POST
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body_format: json
    body:
      command: install
      name: "{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}"
      from-local-file: "/var/config/rest/downloads/tmp/{{ '%s_%s_%s.%s' | format(crt_prefix,crt_name,crt_suffix,key_file_extension) }}"
      
- name: copy chain to TMOS filestore (TMOS v14+)
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/cert
    method: POST
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body_format: json
    body:
      command: install
      name: "{{ '%s_%s_%s' | format(chain_prefix,crt_name,crt_suffix) }}"
      from-local-file: "/var/config/rest/downloads/tmp/{{ '%s_%s_%s.%s' | format(chain_prefix,crt_name,crt_suffix,crt_file_extension) }}"
      
- name: specifiy name of profile (TMOS v14+ does not use the file extension)
  set_fact:
    profile: "{{ '%s_%s_%s' | format(profile_prefix,crt_name,profile_suffix) }}"
    
- name: lookup current cert, key and chain assignments in client-ssl profile
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/ltm/profile/client-ssl/{{ profile }}?$select=cert,key,chain
    method: GET
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
  register: lookup_result
      
- name: modify existing client-ssl persistence
  uri:
    validate_certs: no
    url: https://{{ inventory_hostname }}/mgmt/tm/ltm/profile/client-ssl/{{ profile }}
    method: PATCH
    headers:
      X-F5-Auth-Token: "{{ device_info[inventory_hostname].token }}"
    body_format: json
    body:
      cert: "{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}"
      key: "{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}"
      chain: "{{ '%s_%s_%s' | format(chain_prefix,crt_name,crt_suffix) }}"

If you are exporting the key material anyway, why not creating the key pair and CSR outside the F5? (see next reply, please)

StephanManthey

Nacreous

Jul 08, 2021

As mentioned before, I prefer creating the private/public key pair outside the BIG-IP and finally upload the signed certificate and chain to the BIG-IP device(s).

Here is how I create the key material and CSR (and sign it locally for testing purposes):

- hosts: localhost
  gather_facts: yes
  
  tasks:
  
  - name: retrieve system time information (YYYYMMDD_HHMMSS)
    set_fact:
      ansible_clock_information: "{{ '%s%s%s_%s%s%s' | format(ansible_date_time.year, ansible_date_time.month, ansible_date_time.day, ansible_date_time.hour, ansible_date_time.minute, ansible_date_time.second) }}"
    delegate_to: localhost
    
  - name: debug ansible_clock_information
    debug:
      msg: "{{ ansible_clock_information }}"
      
  - name: include variables file (required for local CA access)
    no_log: true
    include_vars: sample_credentials.yml
    
  - name: include certificate variables file and suppress logging
    include_vars: 
      file: "{{ certificate_data }}"
      name: certificate_config
      
  - name: debug variables
    debug:
      msg: "{{ certificate_config.server_certificate }}"
      
  - name: create string of subject alternative names when defined in inventory
    set_fact:
      san_list: "{{ san_list | default([]) + ['DNS:%s' | format(item.name)] }}"
    with_items: "{{ certificate_config.server_certificate.subject_alternative_names | selectattr('name', 'defined') | list }}"
    when: certificate_config.server_certificate.subject_alternative_names is defined
    
  - name: debug string of subject alternative names
    debug:
      msg: "{{ san_list }}"
      
  - name: add signing request name and properties to data structure
    set_fact:
      csr_data: "{{ {
          'csr_type': certificate_config.server_certificate.key_type,
          'csr_length': certificate_config.server_certificate.key_length,
          'csr_prefix': 'cert',
          'csr_suffix': ansible_clock_information,
          'csr_name': certificate_config.server_certificate.name,
          'csr_cn': certificate_config.server_certificate.subject.common_name,
          'csr_san': san_list | default(['DNS:%s' | format(certificate_config.server_certificate.name)]) | join(','),
          'csr_country': certificate_config.server_certificate.subject.location_country | default('US'),
          'csr_state': server_certificate.subject.location_state | default(''),
          'csr_city': certificate_config.server_certificate.subject.location_city | default(''),
          'csr_organization': certificate_config.server_certificate.subject.organization_name | default(''),
        } }}"
        
  - name: debug data
    debug: 
      msg: "{{ csr_data }}"
      
  - name: assemble key material file name
    set_fact:
      key_file_name: "{{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }}"
      
  - name: assemble certificate subject
    set_fact:
      certificate_subject: "{{ '/C=' + csr_data.csr_country + '/ST=' + csr_data.csr_state + '/L=' + csr_data.csr_city + '/O=' +csr_data.csr_organization + '/CN=' + csr_data.csr_cn }}"
      
  - name: generate a new private/public key pair
    command: openssl gen{{ csr_data.csr_type | lower }} -out ~/ssl/server/material/{{ key_file_name }}.key  {{ csr_data.csr_length }}
    
  - name: generate temporary config files with subject alternative names
    copy:
      dest: "~/ssl/server/tmp/{{ key_file_name }}.cnf"
      content: |
        [SAN]
        subjectAltName={{ csr_data.csr_san }}
        [ req ]
        distinguished_name  = req_distinguished_name
        [ req_distinguished_name ]
        
  - name: generate CSRs
    command: openssl req -new -sha256 -reqexts SAN -key ~/ssl/server/material/{{ key_file_name }}.key -out ~/ssl/server/material/{{ key_file_name }}.csr  -subj '{{ certificate_subject }}' -config ~/ssl/server/tmp/{{ key_file_name }}.cnf
    
  - name: generate key/csr information
    set_fact:
      key_csr_info:
        reference: "{{ csr_data.csr_name }}"
        timestamp: "{{ csr_data.csr_suffix }}"
        new_key: "{{ key_file_name + '.key' }}"
        new_csr: "{{ key_file_name + '.csr' }}"
        
  - name: save timestamp information to local file
    copy:
      content: "{{ key_csr_info | to_nice_yaml }}"
      dest: "{{ '~/ssl/server/material/cert_%s.info' | format(csr_data.csr_name) }}"
      force: yes
      
  - name: print file locations
    debug:
      msg: 
      - "{{ 'new private key created: ~/ssl/server/material/' + key_file_name + '.key' }}"
      - "{{ 'new signing req created: ~/ssl/server/material/' + key_file_name + '.csr' }}"
      - "{{ 'new key/csr information: ~/ssl/server/material/cert_%s.info' | format(csr_data.csr_name) }}"
      
  - name: sign certificate with local CA
    command: openssl ca -notext -md sha256 -days 730 -batch -passin pass:{{ intermediate_ca_credentials.secret }} -out ~/ssl/server/material/{{ key_file_name }}.crt -config ~/ssl/intermediate/openssl.cnf -extensions server_cert -in ~/ssl/server/material/{{ key_file_name }}.csr
    
  - name: save intermediate CA chain (src is referencing the locally saved chain of intermediate CAs)
    copy:
      src: "~/ssl/intermediate/crt/intermediate-ca.crt"
      dest: "{{ '~/ssl/server/material/chain_' + csr_data.csr_name + '_' + csr_data.csr_suffix + '.crt' }}"
      
  - name: print file locations
    debug:
      msg: 
      - "{{ 'new signed cert created: ~/ssl/server/material/' + key_file_name + '.csr' }}"
      - "{{ 'new intermediate saved: ~/ssl/server/material/chain_' + csr_data.csr_name + '_' + csr_data.csr_suffix + '.crt' }}"

Cheers, Stephan

- name: Extract Certificate Private Key\n raw: cat /config/filestore/files_d/Common_d/certificate_key_d/\\:Common:vanity_{{request_id}}.key*\n register: vanity_key\n become: yes\n delegate_to: \"{{ provider.server }}\"\n vars:\n ansible_ssh_user: \"{{ provider.user }}\"\n ansible_ssh_pass: \"{{ provider.password }}\"\n \n- name: Import Cert Key\n bigip_ssl_key:\n name: \"vanity_{{ request_id }}\"\n state: present\n content: \"{{ vanity_key.stdout }}\"\n provider: \"{{ provider }}\"

- name: create string of subject alternative names when defined in inventory\n set_fact:\n san_list: \"{{ san_list | default([]) + ['DNS:%s' | format(item.name)] }}\"\n with_items: \"{{ hostvars[inventory_hostname].certificates.server[0].subject_alternative_names | selectattr('name', 'defined') | list }}\"\n when: hostvars[inventory_hostname].certificates.server[0].subject_alternative_names is defined\n \n- name: add signing request name and properties to data structure\n set_fact:\n csr_data: \"{{ {\n 'csr_consumer': 'ltm',\n 'csr_prefix': 'cert',\n 'csr_suffix': device_info[inventory_hostname].ansible_host_time,\n 'csr_name': hostvars[inventory_hostname].certificates.server[0].name,\n 'csr_cn': hostvars[inventory_hostname].certificates.server[0].subject.common_name,\n 'csr_san': san_list | default(['DNS:%s' | format(hostvars[inventory_hostname].certificates.server[0].name)]) | join(','),\n 'csr_country': hostvars[inventory_hostname].certificates.server[0].subject.location_country | default('US'),\n 'csr_state': hostvars[inventory_hostname].certificates.server[0].subject.location_state | default(''),\n 'csr_city': hostvars[inventory_hostname].certificates.server[0].subject.location_city | default(''),\n 'csr_organization': hostvars[inventory_hostname].certificates.server[0].subject.organization_name | default(''),\n } }}\"\n \n- name: create certificate signing request on load balancer\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/csr\n method: POST\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body_format: json\n body:\n 'name': \"{{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }}\"\n 'key': \"{{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }}\"\n 'common-name': \"{{ csr_data.csr_cn }}\"\n 'subject-alternative-name': \"{{ csr_data.csr_san }}\"\n 'country': \"{{ csr_data.csr_country }}\"\n 'state': \"{{ csr_data.csr_state }}\"\n 'city': \"{{ csr_data.csr_city }}\"\n 'organization': \"{{ csr_data.csr_organization }}\"\n 'consumer': \"{{ csr_data.csr_consumer }}\"\n register: result\n until: result.status == 200\n retries: 40\n delay: 5\n when: csr_data is defined

- name: add certificate signing request name to data structure\n set_fact:\n csr_data: \"{{ {\n 'csr_prefix': 'cert',\n 'csr_suffix': device_info[inventory_hostname].ansible_host_time,\n 'csr_name': hostvars[inventory_hostname].certificates.server[0].name,\n 'csr_file_extension': 'csr'\n } }}\"\n \n- name: debug data\n debug: \n msg: \"{{ csr_data }}\"\n \n- name: export certificate signing request\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/util/bash\n method: POST\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body_format: json\n body:\n command: run\n utilCmdArgs: \"-c 'tmsh list sys crypto csr {{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }} | sed -re \\'/-----/,/-----/!d\\''\"\n register: csr_result\n \n- name: debug data\n debug:\n msg: \"{{ csr_result.json.commandResult }}\"\n \n- name: save certificate signing request to local file and replace encoded new line characters\n copy:\n content: \"{{ csr_result.json.commandResult | regex_replace('\\\\n', '\\n') }}\"\n dest: \"{{ '~/ssl/server/csr/%s.%s' | format(csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix, csr_data.csr_file_extension) }}\"\n force: yes

- name: register cert file properties\n stat:\n path: \"{{ crt_file_path }}\"\n register: crt_properties\n when: crt_file_path is defined\n \n- name: set certificate file size information\n set_fact:\n crt_file_size: \"{{ crt_properties.stat.size }}\"\n when: crt_properties is defined\n \n- name: register key file properties\n stat:\n path: \"{{ key_file_path }}\"\n register: key_properties\n when: key_file_path is defined\n \n- name: set key file size information\n set_fact:\n key_file_size: \"{{ key_properties.stat.size }}\"\n when: key_properties is defined\n \n- name: register chain file properties\n stat:\n path: \"{{ chain_file_path }}\"\n register: chain_properties\n when: chain_file_path is defined\n \n- name: set chain file size information\n set_fact:\n chain_file_size: \"{{ chain_properties.stat.size }}\"\n when: chain_properties is defined\n \n- name: copy certificate to temp directory\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/shared/file-transfer/uploads/{{ crt_file_name }}\n method: POST\n headers:\n Content-Range: \"0-{{ crt_file_size | int - 2 }}/{{ crt_file_size }}\"\n Content-Type: \"application/octet-stream\"\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body: \"{{ lookup('file', crt_file_path) }}\"\n \n- name: copy key to temp directory\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/shared/file-transfer/uploads/{{ key_file_name }}\n method: POST\n headers:\n Content-Range: \"0-{{ key_file_size | int - 2 }}/{{ key_file_size }}\"\n Content-Type: \"application/octet-stream\"\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body: \"{{ lookup('file', key_file_path) }}\"\n \n- name: copy chain to temp directory\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/shared/file-transfer/uploads/{{ chain_file_name }}\n method: POST\n headers:\n Content-Range: \"0-{{ chain_file_size | int - 2 }}/{{ chain_file_size }}\"\n Content-Type: \"application/octet-stream\"\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body: \"{{ lookup('file', chain_file_path) }}\"\n \n- name: copy certificate to TMOS filestore (TMOS v14+)\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/cert\n method: POST\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body_format: json\n body:\n command: install\n name: \"{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}\"\n from-local-file: \"/var/config/rest/downloads/tmp/{{ '%s_%s_%s.%s' | format(crt_prefix,crt_name,crt_suffix,crt_file_extension) }}\"\n \n- name: copy key to TMOS filestore (TMOS v14+)\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/key\n method: POST\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body_format: json\n body:\n command: install\n name: \"{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}\"\n from-local-file: \"/var/config/rest/downloads/tmp/{{ '%s_%s_%s.%s' | format(crt_prefix,crt_name,crt_suffix,key_file_extension) }}\"\n \n- name: copy chain to TMOS filestore (TMOS v14+)\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/sys/crypto/cert\n method: POST\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body_format: json\n body:\n command: install\n name: \"{{ '%s_%s_%s' | format(chain_prefix,crt_name,crt_suffix) }}\"\n from-local-file: \"/var/config/rest/downloads/tmp/{{ '%s_%s_%s.%s' | format(chain_prefix,crt_name,crt_suffix,crt_file_extension) }}\"\n \n- name: specifiy name of profile (TMOS v14+ does not use the file extension)\n set_fact:\n profile: \"{{ '%s_%s_%s' | format(profile_prefix,crt_name,profile_suffix) }}\"\n \n- name: lookup current cert, key and chain assignments in client-ssl profile\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/ltm/profile/client-ssl/{{ profile }}?$select=cert,key,chain\n method: GET\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n register: lookup_result\n \n- name: modify existing client-ssl persistence\n uri:\n validate_certs: no\n url: https://{{ inventory_hostname }}/mgmt/tm/ltm/profile/client-ssl/{{ profile }}\n method: PATCH\n headers:\n X-F5-Auth-Token: \"{{ device_info[inventory_hostname].token }}\"\n body_format: json\n body:\n cert: \"{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}\"\n key: \"{{ '%s_%s_%s' | format(crt_prefix,crt_name,crt_suffix) }}\"\n chain: \"{{ '%s_%s_%s' | format(chain_prefix,crt_name,crt_suffix) }}\"\n

- hosts: localhost\n gather_facts: yes\n \n tasks:\n \n - name: retrieve system time information (YYYYMMDD_HHMMSS)\n set_fact:\n ansible_clock_information: \"{{ '%s%s%s_%s%s%s' | format(ansible_date_time.year, ansible_date_time.month, ansible_date_time.day, ansible_date_time.hour, ansible_date_time.minute, ansible_date_time.second) }}\"\n delegate_to: localhost\n \n - name: debug ansible_clock_information\n debug:\n msg: \"{{ ansible_clock_information }}\"\n \n - name: include variables file (required for local CA access)\n no_log: true\n include_vars: sample_credentials.yml\n \n - name: include certificate variables file and suppress logging\n include_vars: \n file: \"{{ certificate_data }}\"\n name: certificate_config\n \n - name: debug variables\n debug:\n msg: \"{{ certificate_config.server_certificate }}\"\n \n - name: create string of subject alternative names when defined in inventory\n set_fact:\n san_list: \"{{ san_list | default([]) + ['DNS:%s' | format(item.name)] }}\"\n with_items: \"{{ certificate_config.server_certificate.subject_alternative_names | selectattr('name', 'defined') | list }}\"\n when: certificate_config.server_certificate.subject_alternative_names is defined\n \n - name: debug string of subject alternative names\n debug:\n msg: \"{{ san_list }}\"\n \n - name: add signing request name and properties to data structure\n set_fact:\n csr_data: \"{{ {\n 'csr_type': certificate_config.server_certificate.key_type,\n 'csr_length': certificate_config.server_certificate.key_length,\n 'csr_prefix': 'cert',\n 'csr_suffix': ansible_clock_information,\n 'csr_name': certificate_config.server_certificate.name,\n 'csr_cn': certificate_config.server_certificate.subject.common_name,\n 'csr_san': san_list | default(['DNS:%s' | format(certificate_config.server_certificate.name)]) | join(','),\n 'csr_country': certificate_config.server_certificate.subject.location_country | default('US'),\n 'csr_state': server_certificate.subject.location_state | default(''),\n 'csr_city': certificate_config.server_certificate.subject.location_city | default(''),\n 'csr_organization': certificate_config.server_certificate.subject.organization_name | default(''),\n } }}\"\n \n - name: debug data\n debug: \n msg: \"{{ csr_data }}\"\n \n - name: assemble key material file name\n set_fact:\n key_file_name: \"{{ csr_data.csr_prefix + '_' + csr_data.csr_name + '_' + csr_data.csr_suffix }}\"\n \n - name: assemble certificate subject\n set_fact:\n certificate_subject: \"{{ '/C=' + csr_data.csr_country + '/ST=' + csr_data.csr_state + '/L=' + csr_data.csr_city + '/O=' +csr_data.csr_organization + '/CN=' + csr_data.csr_cn }}\"\n \n - name: generate a new private/public key pair\n command: openssl gen{{ csr_data.csr_type | lower }} -out ~/ssl/server/material/{{ key_file_name }}.key {{ csr_data.csr_length }}\n \n - name: generate temporary config files with subject alternative names\n copy:\n dest: \"~/ssl/server/tmp/{{ key_file_name }}.cnf\"\n content: |\n [SAN]\n subjectAltName={{ csr_data.csr_san }}\n [ req ]\n distinguished_name = req_distinguished_name\n [ req_distinguished_name ]\n \n - name: generate CSRs\n command: openssl req -new -sha256 -reqexts SAN -key ~/ssl/server/material/{{ key_file_name }}.key -out ~/ssl/server/material/{{ key_file_name }}.csr -subj '{{ certificate_subject }}' -config ~/ssl/server/tmp/{{ key_file_name }}.cnf\n \n - name: generate key/csr information\n set_fact:\n key_csr_info:\n reference: \"{{ csr_data.csr_name }}\"\n timestamp: \"{{ csr_data.csr_suffix }}\"\n new_key: \"{{ key_file_name + '.key' }}\"\n new_csr: \"{{ key_file_name + '.csr' }}\"\n \n - name: save timestamp information to local file\n copy:\n content: \"{{ key_csr_info | to_nice_yaml }}\"\n dest: \"{{ '~/ssl/server/material/cert_%s.info' | format(csr_data.csr_name) }}\"\n force: yes\n \n - name: print file locations\n debug:\n msg: \n - \"{{ 'new private key created: ~/ssl/server/material/' + key_file_name + '.key' }}\"\n - \"{{ 'new signing req created: ~/ssl/server/material/' + key_file_name + '.csr' }}\"\n - \"{{ 'new key/csr information: ~/ssl/server/material/cert_%s.info' | format(csr_data.csr_name) }}\"\n \n - name: sign certificate with local CA\n command: openssl ca -notext -md sha256 -days 730 -batch -passin pass:{{ intermediate_ca_credentials.secret }} -out ~/ssl/server/material/{{ key_file_name }}.crt -config ~/ssl/intermediate/openssl.cnf -extensions server_cert -in ~/ssl/server/material/{{ key_file_name }}.csr\n \n - name: save intermediate CA chain (src is referencing the locally saved chain of intermediate CAs)\n copy:\n src: \"~/ssl/intermediate/crt/intermediate-ca.crt\"\n dest: \"{{ '~/ssl/server/material/chain_' + csr_data.csr_name + '_' + csr_data.csr_suffix + '.crt' }}\"\n \n - name: print file locations\n debug:\n msg: \n - \"{{ 'new signed cert created: ~/ssl/server/material/' + key_file_name + '.csr' }}\"\n - \"{{ 'new intermediate saved: ~/ssl/server/material/chain_' + csr_data.csr_name + '_' + csr_data.csr_suffix + '.crt' }}\"

Forum Discussion

Extract content of Certificate key file with REST or Ansible

4 Replies

F5 Academies Are Back – And We’re Coming to a City Near You

Introducing the F5 Application Study Tool (AST)

Recent Discussions

master key file on vcmp guest HA Cluster different?

F5 Health Monitor Receive String as JSON

Rewrite content in XML schema file.

DNS Request to VS?

Guide for exam 402 F5 Certified Solution Expert

Related Content

How to Extract the UPN from a Digital Certificate on a CAC card using F5 APM

Extracting the SNI server name

Help F5 Transform the BIG-IP Administrator Certification

Extracting X-Forwarded-For in Node.js

Layer 7 Content Routing in F5 XC

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS