Forum Discussion

Greg_33932's avatar
Greg_33932
Icon for Nimbostratus rankNimbostratus
Mar 30, 2017

OpenSSL command line on F5 LTM CSR/key generation

Been searching for a way to insert data into a command line and I'm having some issues, not sure if anyone has had success with this. I'm ultimately looking to automate a bulk cert and key generation from a txt file inputting the CN's. I'm currently trying to isolate the command to add in the details in the -subj section. I'm not sure what I'm missing and been staring at it too long.

 

My searches so far have not been fruitful on finding good examples of this. Any advise would be appreciated. Note I did enter it without the variables. Thanks everyone!

 

openssl req -new -key ./bulk.key/$domain_rebrand.key -out ./bulk.csr/$domain_rebrand.csr -passin pass:$password \ -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email"

 

Variables: country=United States state=xxxxxx locality=xxxxxxx organization=xxxxxxx organizationalunit=IT email=xxxxxxxxx@xxxx.com

 

  • Is all of your organizational information the same across certificates, just the subject changing? When we went through a cert refresh exercise, I recall pre-generating openssl 'config' files that housed all of the certificate details (as we also had some that needed SAN extensions). Once we had a directory full of the config files, batch generation was done by listing the directory and piping through the bash command 'xargs' that popped the config file name into an openssl command to generate key and CSR based on the config. (The config files were generated with some Python that pulled necessary information from the existing certs.)

     

    Sorry if this doesn't help but wanted to pass along the idea of config files and 'xargs'. As the solution was 'mediocre but expedient' I didn't commit it to memory assuming we'd do something more elegant next round. ;)

     

  • I think I found the working command..

     

    openssl req -new –key ./bulk.key/$domain_rebrand.key –out ./bulk.key/$domain_rebrand.csr -subj "/C=US/ST=xxxxxx/L=xxxxx/O=xxxxxx/OU=xxxx/CN=$domain”

     

  • planning on using (which I found as a F5 article) to import the key into the LTM

     

    tmsh install /sys crypto key ./bulk.key/$domain_rebrand.key from-local-file /config/ssl/ssl.key/$domain_rebrand.key

     

  • ok, this new verions if LTM has to be bugged...

     

    Document says use this: •11.5.0 and later: The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5test.com_2015.csr, using the SSL private key named f5test.com_2015.key using a SHA2 digest:

     

    openssl req -new -key /config/ssl/ssl.key/f5test.com_2015.key -out /config/ssl/ssl.csr/f5test.com_2015.csr -sha256

     

    "Get unknown option -key" error message....

     

  • Thought I'd share since I don't see any good examples. This is working for me.

    The command looked like it was creating a key at the same time it was generating the CSR, my issue was the key needed to be created first. I thought I had done that first, but coming back to it again started working.

    We are rebranding our 100's of websites and we have a different group managing a WAF device, so need to send them the keys also hence the email of both the key and CSR. I'm planning on further automating renewals to generate a new key each time and then email us the csr/key for processing with our CA provider and WAF team. Hope this helps someone!

    DATE=`date +%m%d%y-%H.%M.%S`
    
    mkdir ./bulk.csr
    mkdir ./bulk.key
    
    while read domain; do
    echo $domain
    
    Generate a key and CSR:
    openssl genrsa -out ./bulk.key/$domain.rebrand.key 2048
    
    openssl req -new -key ./bulk.key/$domain.rebrand.key -out ./bulk.csr/$domain.rebrand.csr -subj "/C=US/ST=xxx/L=xxx/O=xxx, Inc./OU=IT/CN=$domain/emailAddress=xxxx@xxx.com"
    openssl req -noout -text -in ./bulk.csr/$domain.rebrand.csr > ./domain.rebrand.log
    
    Sending email with attached CSR:
    mail -s "Attached is the CSR generated for $domain on $HOSTNAME" xxxx@xxx.com < ./bulk.csr/$domain.rebrand.csr
    mail -s "Attached is the KEY generated for $domain on $HOSTNAME" xxxx@xxx.com < ./bulk.key/$domain.rebrand.key
    
    done < ./domain.rebrand.txt
    read csr command: openssl req -noout -text -in ./bulk.csr/$domain.rebrand.csr
    
  • also might come in handy:

    tmsh install /sys crypto key ./bulk.key/$domain_rebrand.key from-local-file /config/ssl/ssl.key/$domain_rebrand.key