Forum Discussion

Wyko's avatar
Wyko
Icon for Altostratus rankAltostratus
Jul 12, 2023

How to make a password-protected private key via REST

Hey everyone!  Does anyone know how to use a REST command to create a password protected key? I tried the following, but it gave me the error:    {"code":400,"message":"\"passphrase\" may not be...
devops
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Jul 12, 2023

Hi Wyko, I could be off-base, but I don't think you can create the key this way. I believe you need to create the key from command line, either locally on a box and upload it to BIG-IP, or create it on command line on BIG-IP itself. Once that step is done, then you can create the file reference to that key with the REST methods.

That said, I would not recommend using the /tm/sys/crypto/key method, as the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead. When using the latter method, you'll want to define sourcePath attribute like "file:///var/config/rest/downloads/my.key" or whereever you uploaded/created the key. So the data that you would POST to /tm/sys/file/ssl-key would look something like (using the bigrest python iControl REST wrapper here):

from bigrest.bigip import BIGIP

b = BIGIP('mybigip.local', 'admin', 'admin', session_verify=False)

key_data = {'name': 'testkey.key',
            'keySize': 2048,
            'keyType': 'rsa-private',
            'passphrase': 'encrypted passphrase here',
            'securityType': 'password',
            'sourcePath': 'file:///var/config/rest/downloads/mytestkey.key'
            }
response = b.create('/mgmt/tm/sys/file/ssl-key', key_data)

 This assumes of course you've created the key and moved it or uploaded it to the BIG-IP /var/config/rest/downloads folder.

phildotchon's avatar
phildotchon
Icon for Nimbostratus rankNimbostratus
Aug 03, 2025

Hi JRahm​ 

the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead.

I'm struggling to believe this, can you tell me where this depreciation is documented? The /tm/sys/file/ssl-key method seems to not actually allow the generation of a key withing the F5, it only allows one to be imported from elsewhere. If I try to create new by just specifying a name and key size, I get

"code": 400,
"message": "source-path is required.",
"errorStack": [],
"apiError": 26214401

 

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Aug 05, 2025

    They sorta work in some scenarios, but when I was working on the imperative sdk years ago I was told to focus on the file commands as the crypto ones were deprecated. Also having a hard time finding that documented anywhere. I'm poking around on this, will let you know if I turn anything up.