Get list of all certificates and their correspondantes keys through the REST API (or cli) in BIG-IP

Hello sidxzx.

Something you can do is to execute a BASH command using REST API.

curl -sku admin:<PASSWORD> -H "Content-Type: application/json" -X POST https://<MGMT_IP>/mgmt/tm/util/bash -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'\"}" | sed 's/\\n/\n/g'
{
"kind":"tm:util:bash:runstate",
"command":"run",
"utilCmdArgs":"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'",
"commandResult":"
-----BEGIN CERTIFICATE-----
...<CERTIFICATE_FILE>...
-----END CERTIFICATE-----
"}

Usually certificates are located in "/config/filestore/files_d/Common_d/certificate_d/".

KR,

Dario.

If you want to find the private key that corresponds to a particular certificate, you need to:

1) Get the certificate. See Mario's answer (i.e., POST /mgmt/tm/util/bash). The following Python trick gives you just the certificate part. Redirect the output to a file.

... iControl REST bash call ... | python -c 'import sys,json; o=json.load(sys.stdin); print o["commandResult"]'

(I know. Some prefer jq)

2) Get the list of keys from /mgmt/tm/sys/file/ssl-cert: e.g.,

curl -sku $PASS https://$HOST/mgmt/tm/sys/file/ssl-cert | \
python -c 'import sys,json; o=json.load(sys.stdin); print "\n".join([x["systemPath"] for x in o["items"]])'

3) Get all the keys. See the Mario's answer.

4) Extract the modulus part from the certificate and all keys: e.g. (<file> here comes from Step 1 and 3),

openssl x509 -noout -modulus -in <file>| awk -F= '{print $2}'

Find the key that has the same modulus as the certificate.

It would be a good idea to write a script that performs the matching on the target BIG-IP and returns the key name, and call it from iControl REST. That reduces the amount of calls (because certs and keys are found locally on BIG-IP).