Forum Discussion

martijnbrands_3's avatar
martijnbrands_3
Icon for Nimbostratus rankNimbostratus
Feb 22, 2019

Rest API generate key with passphrase

How can I generate a key with passphrase through the REST API. I do the following :

POST mgmt/tm/sys/crypto/key

 

    {
      "name": "/Common/test.domain.nl123.key",
      "keyType": "rsa-private",
      "securityType": "password",
      "password": "$M$1p$1JabAKC3V/riq3CHKwBNCw=="
    }

 

RESPONSE

 

    
{
      "kind": "tm:sys:crypto‌🔑‌keystate",
      "name": "/Common/test.domain.nl123.key",
      "fullPath": "/Common/test.domain.nl123.key",
      "generation": 5164,
      "selfLink": "https://localhost/mgmt/tm/sys/crypto/key/~Common~test.domain.nl123.key?ver=12.1.3.2",
      "keySize": "2048",
      "keyType": "rsa-private",
      "securityType": "normal"
    }

 

The securityType is still "normal". Try also with "passphrase": "$M$1p$1JabAKC3V/riq3CHKwBNCw==" but then the response is:

 

{
  "code": 400,
  "message": "\"passphrase\" may not be specified in the context of the \"create\" command. 
   \"passphrase\" may be specified using the following commands: install",
  "errorStack": [],
  `text`"apiError": 26214401
}

 

devops
iControl
iControlREST
  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Feb 26, 2019

    Fiddled around a bit in my lab and it does not seem to be possible the way you want it to.

    Even via TMSH you are forced to enter it manually by using prompt-for-password (although you might be able to pipe input there via bash):

     

    (/Common)(tmos) create sys crypto key test3 key-type rsa-private security-type password key-size 2048 ?
Options:
  gen-certificate      also generate a self signed certificate
  gen-csr              also generate a certificate signing request and display it
  prompt-for-password  Use password for key.
Properties:
  consumer             Specifies the TMOS component which will be making use of this.
  curve-name           Specifies the curve name to create elliptic curve (EC) key.

     

    So the only way left as far as I can see is to upload a locally generated file, or do some work around with bash (you can run bash commands via REST).

    /Patrik

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Feb 26, 2019

    I think you got the syntax wrong for the command:

    This worked fine for me:

     

    curl -sku admin:admin https://192.168.10.23/mgmt/tm/util/bash -H "content-type:application/json"  -d "
    {
        \"command\": \"run\",
        \"utilCmdArgs\": \"-c 'openssl genrsa -aes256 -passout pass:DitIsEenTest123 -out /config/ssl/ssl.key/f5test.com_2015.key 2048'\"
    }
"

     

    Result:

     

    {"kind":"tm:util:bash:runstate","command":"run","utilCmdArgs":"-c 'openssl genrsa -aes256 -passout pass:DitIsEenTest123 -out /config/ssl/ssl.key/f5test.com_2015.key 2048'","commandResult":"Generating RSA private key, 2048 bit long modulus\n.......................+++++\n..................+++++\nunable to write 'random state'\ne is 65537 (0x10001)\n"}`

     

    And file exists:

     

    [root@f5yp01:Active:Disconnected] config  ls /config/ssl/ssl.key/
default.key  f5test.com_2015.key

     

  • Tom_Rogers's avatar
    Tom_Rogers
    Icon for Employee rankEmployee
    Oct 24, 2019

    >> How can I generate a key with passphrase through the REST API.

     

    Currently you can't use a pure REST API command to generate a private SSL key that uses a passphrase.

     

    F5 has RFE ID832649 to allow this, but it has not been implemented in any version of code (yet).

     

    If your business requirements dictate this functionality, please open a support ticket with F5, and have your ticket associated with the RFE ID