Forum Discussion
dmacika_116140
Nimbostratus
NimbostratusiControl and Powershell - key import and certificate import
I am attempting to script out importing a SSL crt/key pair into a new F5 running 11.3. I'm using iControl within Powershell. I've successfully used iControl and Powershell for other tasks on this new F5. Below is my sample code which doesn't seem to be working. Any ideas/suggestions?
$SSLDir = Path to folder containing crt and key files on my machine $url = "www.myurl.com"
$crtfilename = $url + ".crt" $keyfilename = $url + ".key" $keyfile = $SSLDir + "\" + $keyfilename $crtfile = $SSLDir + "\" + $crtfilename
(Get-F5.iControl).ManagementPartition.Set_active_partition("Common") (Get-F5.iControl).ManagementKeyCertificate.key_import_from_file(0,$url,$keyfile,$false) (Get-F5.iControl).ManagementKeyCertificate.certificate_import_from_file(0,$url,$crtfile,$false)
dmacika_116140Worked with F5 support and came up with a working solution. Import_from_pem was failing for me at first. Key is to use the -raw flag on the get-content. Hope this helps others in the future.
$url is the common name of the certificate. .crt and .key files are stored as $url.crt and $url.key $url = "www.mydomain.com" IP address of the F5 $srv = "1.2.3.4" Directory where the crt and key files are placed $SSLDir = "D:\temp" Add-PSSnapIn iControlSnapIn -ErrorAction SilentlyContinue Initialize-F5.iControl -Hostname $srv -Credentials (Get-Credential) (Get-F5.iControl).ManagementPartition.Set_active_partition("Common") $crtfilename = $url + ".crt" $keyfilename = $url + ".key" $keyfile = $SSLDir + "\" + $keyfilename $crtfile = $SSLDir + "\" + $crtfilename $key_pem = get-content $keyfile -raw $crt_pem = get-content $crtfile -raw if ( (test-path $keyfile) -and (test-path $crtfile) ) { (Get-F5.iControl).ManagementKeyCertificate.Key_import_from_pem("MANAGEMENT_MODE_DEFAULT",$url,$key_pem,1) (Get-F5.iControl).ManagementKeyCertificate.certificate_import_from_pem("MANAGEMENT_MODE_DEFAULT",$url,$crt_pem,1) } else { write-host "Missing Files" }
Hank_Stallingstake a look at this posting
https://devcentral.f5.com/questions/what-is-the-path-to-a-users-home-directory-from-root
Tim_K_92675Cirrostratus
Looks like the mode is being passed in as a string? Try something like this:
$mgmtModeType = New-Object -TypeName iControl.ManagementKeyCertificateManagementModeType $mgmtModeType.value__ = 0Then add it into the call:
$F5.ManagementKeyCertificate.key_import_from_file( $mgmtModeType, (,$url), (,$keyfile), $false )- dmacika_116140Yeah, that's the same result I've been seeing.
- Hank_StallingsDidn't help, no error, but it doesn't import the crt/key
- dmacika_116140
I had this fully automated in v10.x (upload new crt key pair and create a SSL Client profile if one did not already exist), but whatever I had there doesn't work in 11.x
- dmacika_116140I was using upload-f5.file previously. I understand this won't work in 11.x due to change to how SSL certs are stored in the F5. $rmcrt = "/config/ssl/ssl.crt/" + $pathurl + ".crt" $rmkey = "/config/ssl/ssl.key/" + $pathurl + ".key" upload-f5.file -RemoteFile $rmcrt -LocalFile $crtfile upload-f5.file -RemoteFile $rmkey -LocalFile $keyfile
- Hank_StallingsCould you share the code you used back when it worked?
- Hank_Stallings
Bummer, automating this is on my list and it doesn't look promising. I understand that it works with Ruby, but I have no experience (or much desire) in that. If I ever come up with anything I'll update this. I'm surprised that F5 hasn't stepped in and assisted on this forum.
- dmacika_116140
Negative. I have it on my task list of things to tackle. Most likely I will have to open a support case at some time. In the meantime, our service desk has been importing new certs and keys manually via the web interface.
- Hank_Stallings
Were you ever able to get this working?
- dmacika_116140
I revisted this myself and tried using import from pem instead of import from file, but that fails as well.
Then I'm at a loss. I sent a message to the iControl guru. Hopefully he'll have time to enlighten us mortals.
/Patrik
- dmacika_116140
Still doesn't work.
- Yeah, I realized that too. Gives no error, but no certificate is shown in the gui or filestore. Also tried the PEM importer using text, but failed that one too.
