Forum Discussion
How to make a password-protected private key via REST
Hey everyone!
Does anyone know how to use a REST command to create a password protected key? I tried the following, but it gave me the error:
{"code":400,"message":"\"passphrase\" may not be specified in the context of the \"create\" command. \"passphrase\" may be specified using the following commands: install","errorStack":[],"apiError":26214401}
payload = {
"name": f"{fqdn}-key-{datetime.utcnow().strftime('%Y%m%d%H%M%S')}.key",
"commonName": options.common_name,
"keySize": options.key_size,
"keyType": "rsa-private",
"options": [{"gen-csr": "www.testing.com"}],
"organization": options.organization,
"city": options.city,
"state": options.state,
"emailAddress": options.email,
"subjectAlternativeName": sans,
"passphrase": password,
"securityType": "password",
}
r = await ltm.post("mgmt/tm/sys/crypto/key", json=payload, raise_err=False)
- JRahmAdmin
Hi Wyko, I could be off-base, but I don't think you can create the key this way. I believe you need to create the key from command line, either locally on a box and upload it to BIG-IP, or create it on command line on BIG-IP itself. Once that step is done, then you can create the file reference to that key with the REST methods.
That said, I would not recommend using the /tm/sys/crypto/key method, as the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead. When using the latter method, you'll want to define sourcePath attribute like "file:///var/config/rest/downloads/my.key" or whereever you uploaded/created the key. So the data that you would POST to /tm/sys/file/ssl-key would look something like (using the bigrest python iControl REST wrapper here):
from bigrest.bigip import BIGIP b = BIGIP('mybigip.local', 'admin', 'admin', session_verify=False) key_data = {'name': 'testkey.key', 'keySize': 2048, 'keyType': 'rsa-private', 'passphrase': 'encrypted passphrase here', 'securityType': 'password', 'sourcePath': 'file:///var/config/rest/downloads/mytestkey.key' } response = b.create('/mgmt/tm/sys/file/ssl-key', key_data)
This assumes of course you've created the key and moved it or uploaded it to the BIG-IP /var/config/rest/downloads folder.
- WykoAltostratus
Unfortunately that would still require manual intervention. I am looking for a solution that can be fully automated. Any ideas?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com