Forum Discussion

Wyko's avatar
Icon for Altostratus rankAltostratus
Jul 12, 2023

How to make a password-protected private key via REST

Hey everyone! 

Does anyone know how to use a REST command to create a password protected key? I tried the following, but it gave me the error: 


 {"code":400,"message":"\"passphrase\" may not be specified in the context of the \"create\" command. \"passphrase\" may be specified using the following commands: install","errorStack":[],"apiError":26214401}




payload = {
    "name": f"{fqdn}-key-{datetime.utcnow().strftime('%Y%m%d%H%M%S')}.key",
    "commonName": options.common_name,
    "keySize": options.key_size,
    "keyType": "rsa-private",
    "options": [{"gen-csr": ""}],
    "organization": options.organization,
    "state": options.state,
    "subjectAlternativeName": sans,
    "passphrase": password,
    "securityType": "password",

r = await"mgmt/tm/sys/crypto/key", json=payload, raise_err=False)





2 Replies

  • Hi Wyko, I could be off-base, but I don't think you can create the key this way. I believe you need to create the key from command line, either locally on a box and upload it to BIG-IP, or create it on command line on BIG-IP itself. Once that step is done, then you can create the file reference to that key with the REST methods.

    That said, I would not recommend using the /tm/sys/crypto/key method, as the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead. When using the latter method, you'll want to define sourcePath attribute like "file:///var/config/rest/downloads/my.key" or whereever you uploaded/created the key. So the data that you would POST to /tm/sys/file/ssl-key would look something like (using the bigrest python iControl REST wrapper here):

    from bigrest.bigip import BIGIP
    b = BIGIP('mybigip.local', 'admin', 'admin', session_verify=False)
    key_data = {'name': 'testkey.key',
                'keySize': 2048,
                'keyType': 'rsa-private',
                'passphrase': 'encrypted passphrase here',
                'securityType': 'password',
                'sourcePath': 'file:///var/config/rest/downloads/mytestkey.key'
    response = b.create('/mgmt/tm/sys/file/ssl-key', key_data)

     This assumes of course you've created the key and moved it or uploaded it to the BIG-IP /var/config/rest/downloads folder.

  • Wyko's avatar
    Icon for Altostratus rankAltostratus

    Unfortunately that would still require manual intervention. I am looking for a solution that can be fully automated. Any ideas?