For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wyko's avatar
Wyko
Icon for Altostratus rankAltostratus
Jul 12, 2023

How to make a password-protected private key via REST

Hey everyone! 

Does anyone know how to use a REST command to create a password protected key? I tried the following, but it gave me the error: 

 

 {"code":400,"message":"\"passphrase\" may not be specified in the context of the \"create\" command. \"passphrase\" may be specified using the following commands: install","errorStack":[],"apiError":26214401}

 

 

 

payload = {
    "name": f"{fqdn}-key-{datetime.utcnow().strftime('%Y%m%d%H%M%S')}.key",
    "commonName": options.common_name,
    "keySize": options.key_size,
    "keyType": "rsa-private",
    "options": [{"gen-csr": "www.testing.com"}],
    "organization": options.organization,
    "city": options.city,
    "state": options.state,
    "emailAddress": options.email,
    "subjectAlternativeName": sans,
    "passphrase": password,
    "securityType": "password",
}

r = await ltm.post("mgmt/tm/sys/crypto/key", json=payload, raise_err=False)

 

 

 

 

devops

4 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 12, 2023

    Hi Wyko, I could be off-base, but I don't think you can create the key this way. I believe you need to create the key from command line, either locally on a box and upload it to BIG-IP, or create it on command line on BIG-IP itself. Once that step is done, then you can create the file reference to that key with the REST methods.

    That said, I would not recommend using the /tm/sys/crypto/key method, as the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead. When using the latter method, you'll want to define sourcePath attribute like "file:///var/config/rest/downloads/my.key" or whereever you uploaded/created the key. So the data that you would POST to /tm/sys/file/ssl-key would look something like (using the bigrest python iControl REST wrapper here):

    from bigrest.bigip import BIGIP

b = BIGIP('mybigip.local', 'admin', 'admin', session_verify=False)

key_data = {'name': 'testkey.key',
            'keySize': 2048,
            'keyType': 'rsa-private',
            'passphrase': 'encrypted passphrase here',
            'securityType': 'password',
            'sourcePath': 'file:///var/config/rest/downloads/mytestkey.key'
            }
response = b.create('/mgmt/tm/sys/file/ssl-key', key_data)

     This assumes of course you've created the key and moved it or uploaded it to the BIG-IP /var/config/rest/downloads folder.

    • phildotchon's avatar
      phildotchon
      Icon for Nimbostratus rankNimbostratus
      Aug 03, 2025

      Hi JRahm​ 

      the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead.

      I'm struggling to believe this, can you tell me where this depreciation is documented? The /tm/sys/file/ssl-key method seems to not actually allow the generation of a key withing the F5, it only allows one to be imported from elsewhere. If I try to create new by just specifying a name and key size, I get

      "code": 400,
"message": "source-path is required.",
"errorStack": [],
"apiError": 26214401

       

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin
        Aug 05, 2025

        They sorta work in some scenarios, but when I was working on the imperative sdk years ago I was told to focus on the file commands as the crypto ones were deprecated. Also having a hard time finding that documented anywhere. I'm poking around on this, will let you know if I turn anything up.

  • Wyko's avatar
    Wyko
    Icon for Altostratus rankAltostratus
    Dec 14, 2023

    Unfortunately that would still require manual intervention. I am looking for a solution that can be fully automated. Any ideas?