Forum Discussion

rashid_rashidov's avatar
rashid_rashidov
Icon for Nimbostratus rankNimbostratus
Jan 15, 2020

How to edit certificate ca bundle via iControl REST API

Hi,   I have ssl certificates that have ca bundles. These ca bundles include multiple certificates. The usecase is that some of those certificaes expire and need to be deleted at some point in tim...
BIG-IP
bundle
ca-bundle
cert
certificate
devops
iControlREST
ssl
Philippe_CLOUP's avatar
Philippe_CLOUP
Icon for Employee rankEmployee
Jan 15, 2020

Hi rashid,

i managed to make things work by using the following REST API entry:

do a GET on the following:

https://{{BIGIP}}/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle

where of course you replace the {BIGIP} with your BBIG-IP IP address and add the relevant AUTH headers and so on (but you know that, based on what you sent in your question).

this assumes that you have created your own ca-bundle (not the default one i mean).

it should provide a list like this one :

{
    "kind": "tm:sys:crypto:ca-bundle-manager:ca-bundle-managerstate",
    "name": "MyCABundle",
    "partition": "Common",
    "fullPath": "/Common/MyCABundle",
    "generation": 43,
    "selfLink": "https://localhost/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle?ver=14.1.0.3",
    "proxyPort": 3128,
    "timeOut": 8,
    "trustedCaBundle": "/Common/ca-bundle.crt",
    "trustedCaBundleReference": {
        "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt?ver=14.1.0.3"
    },
    "updateInterval": 0,
    "includeBundle": [
        "/Common/default.crt",
        "/Common/f5-ca-bundle.crt",
        "/Common/f5-irule.crt"
    ],
    "includeBundleReference": [
        {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=14.1.0.3"
        },
        {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~f5-ca-bundle.crt?ver=14.1.0.3"
        },
        {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~f5-irule.crt?ver=14.1.0.3"
        }
    ]
}

and then you take what is needed to be removed (for example here, i will remove f5-irule.crt from this list)

and craft a PATCH REST call to your BIG-IP:

PATCH https://{{BIGIP}}/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle
 
{
"includeBundle": [
        "/Common/default.crt",
        "/Common/f5-ca-bundle.crt"
    ]
 }

Result should look like this:

{
    "kind": "tm:sys:crypto:ca-bundle-manager:ca-bundle-managerstate",
    "name": "MyCABundle",
    "partition": "Common",
    "fullPath": "/Common/MyCABundle",
    "generation": 44,
    "selfLink": "https://localhost/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle?ver=14.1.0.3",
    "proxyPort": 3128,
    "timeOut": 8,
    "trustedCaBundle": "/Common/ca-bundle.crt",
    "trustedCaBundleReference": {
        "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt?ver=14.1.0.3"
    },
    "updateInterval": 0,
    "includeBundle": [
        "/Common/default.crt",
        "/Common/f5-ca-bundle.crt"
    ],
    "includeBundleReference": [
        {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=14.1.0.3"
        },
        {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~f5-ca-bundle.crt?ver=14.1.0.3"
        }
    ]
}

HTH