For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mhite_60883's avatar
mhite_60883
Icon for Cirrocumulus rankCirrocumulus
Aug 23, 2012

Replacing key/certs via iControl

I'm using key_import_from_pem() and certificate_import_from_pem() to update cert/key stored in a partition folder. I set the overwrite flag when making the call and both API calls succeed without exception.

 

 

Debug logs from F5:

 

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::certificate_import_from_pem ( ) called by user "yayaya"

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Cert: wildcard.xyzzy.com

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN CERTIFICATE-----

 

 

-----END CERTIFICATE-----

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes

 

Aug 23 04:32:05 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------

 

 

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:+++++++++++++++++++++++++++++++++++++

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:KeyCertificate::key_import_from_pem ( ) called by user "yayaya"

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Mode: Default

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: [0] Key: wildcard.xyzzy.com

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: -----BEGIN RSA PRIVATE KEY-----

 

 

-----END RSA PRIVATE KEY-----

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management: Overwrite: yes

 

Aug 23 04:32:08 ca2-3a-velb1 debug iControlPortal.cgi[31559]: Management:-------------------------------------

 

 

 

Everything looks good in the logs and no exception is thrown via the API.

 

 

 

However, the new certificate/key IS NOT what we see in the certificate_d folder for the partition.

 

 

 

If I turn off the overwrite function, it DOES throw an exception that it would be replacing a file. So I _know_ it should be replacing the file in that location.

 

 

 

 

Something is amiss...

 

 

What is the appropriate way for replacing cert/keys via iControl? IE. We've got expiring certs that need replacement, or the cert has been modified to include an additional item in its subject alternative name, etc.

 

 

 

Thanks!

 

 

 

 

 

dev
devops
iControl

11 Replies

Show More
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Dec 12, 2012
    There should be a hotfix available for BZ388590 soon. Can you contact F5 Support to make sure they'll provide a hotfix for your current version(s)?

     

     

    Thanks, Aaron