For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sidxzx's avatar
sidxzx
Icon for Nimbostratus rankNimbostratus
Mar 25, 2020

Get list of all certificates and their correspondantes keys through the REST API (or cli) in BIG-IP

Hello,

Is it possible to get all certificates and their correspondantes keys with an api call, i've tried :

 curl -k -u admin:admin -H "Content-Type: application/json" -X GET  https://big-ip/mgmt/tm/sys/file/ssl-cert

but it gives me info about the certs and not their keys.

Same with:

tmsh list sys file ssl-cert all

No information about where to find the key.

However, in the GUI I can see in System> Certificate management > Traffic Certificate Management > SSL Certificate List information about the certificates, its key and the CSR. So is there a way to get all of this information through the REST API ?

application delivery
BIG-IP
iControlREST
security

2 Replies

  • Dario_Garrido's avatar
    Dario_Garrido
    Icon for Noctilucent rankNoctilucent
    Apr 06, 2020

    Hello sidxzx.

    Something you can do is to execute a BASH command using REST API.

    curl -sku admin:<PASSWORD> -H "Content-Type: application/json" -X POST https://<MGMT_IP>/mgmt/tm/util/bash -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'\"}" | sed 's/\\n/\n/g'
{
"kind":"tm:util:bash:runstate",
"command":"run",
"utilCmdArgs":"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'",
"commandResult":"
-----BEGIN CERTIFICATE-----
...<CERTIFICATE_FILE>...
-----END CERTIFICATE-----
"}

    Usually certificates are located in "/config/filestore/files_d/Common_d/certificate_d/".

    KR,

    Dario.

  • Satoshi_Toyosa1's avatar
    Satoshi_Toyosa1
    Ret. Employee
    Apr 07, 2020

    If you want to find the private key that corresponds to a particular certificate, you need to:

    1) Get the certificate. See Mario's answer (i.e., POST /mgmt/tm/util/bash). The following Python trick gives you just the certificate part. Redirect the output to a file.

    ... iControl REST bash call ... | python -c 'import sys,json; o=json.load(sys.stdin); print o["commandResult"]'

    (I know. Some prefer jq)

    2) Get the list of keys from /mgmt/tm/sys/file/ssl-cert: e.g.,

    curl -sku $PASS https://$HOST/mgmt/tm/sys/file/ssl-cert | \
python -c 'import sys,json; o=json.load(sys.stdin); print "\n".join([x["systemPath"] for x in o["items"]])'

    3) Get all the keys. See the Mario's answer.

    4) Extract the modulus part from the certificate and all keys: e.g. (<file> here comes from Step 1 and 3),

    openssl x509 -noout -modulus -in <file>| awk -F= '{print $2}'

    Find the key that has the same modulus as the certificate.

    It would be a good idea to write a script that performs the matching on the target BIG-IP and returns the key name, and call it from iControl REST. That reduces the amount of calls (because certs and keys are found locally on BIG-IP).