Forum Discussion

mhite_60883's avatar
mhite_60883
Icon for Cirrocumulus rankCirrocumulus
Aug 23, 2012

Replacing key/certs via iControl

I'm using key_import_from_pem() and certificate_import_from_pem() to update cert/key stored in a partition folder. I set the overwrite flag when making the call and both API calls succeed without exception.

 

 

Debug logs from F5:

 

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::certificate_import_from_pem ( ) called by user "yayaya"

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Cert: wildcard.xyzzy.com

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN CERTIFICATE-----

 

 

-----END CERTIFICATE-----

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------

 

 

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:+++++++++++++++++++++++++++++++++++++

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::key_import_from_pem ( ) called by user "yayaya"

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Key: wildcard.xyzzy.com

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN RSA PRIVATE KEY-----

 

 

-----END RSA PRIVATE KEY-----

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------

 

 

 

Everything looks good in the logs and no exception is thrown via the API.

 

 

 

However, the new certificate/key IS NOT what we see in the certificate_d folder for the partition.

 

 

 

If I turn off the overwrite function, it DOES throw an exception that it would be replacing a file. So I _know_ it should be replacing the file in that location.

 

 

 

 

Something is amiss...

 

 

What is the appropriate way for replacing cert/keys via iControl? IE. We've got expiring certs that need replacement, or the cert has been modified to include an additional item in its subject alternative name, etc.

 

 

 

Thanks!