Where is the location of CSR at F5 CLI

Hi f5Suburn,

In BASH Mode Try following

tmsh list sys crypto cert all

tmsh list sys crypto csr

to list all the cert/key/csr etc etc for all the partitions recursively use the following master command id more partitions other than /Common

tmsh -q -c "cd / ; list sys crypto recursive all-properties "

In TMSH Mode try following

if only one partition or you want to run on individual partition use this in TMS Mode

list sys crypto recursive all-properties

list sys crypto cert

list sys crypto crl

list sys crypto csr

list sys crypto key

show sys crypto

Very Limited output

*****************************************************

root@(Test-Box1-Active)(cfg-sync In Sync)(/S1-green-P::Standby)(/Common)(tmos)# show sys crypto

15 certificates found
0 certificate revocation lists found
3 CSRs found
9 keys found
FIPS 140 is not licensed.

--------------------------------------
Sys::Crypto Acceleration Distribution:
--------------------------------------
Primitive           Forced CPU  Total
ECDH                        14     14
ECDSA Sign                   0      0
RSA encrypt/verify           0     28

-----------------------------------------------------------------------------------------------------------------------------
Sys::Encrypted Attributes
Object Type                 Object Name                                                                                        Attribute     Valid Encryption
-----------------------------------------------------------------------------------------------------------------------------
profile_serverssl           ****SCRUBBED-DUE-TO_PRIVACY****.com-serverssl                                                                passphrase    1
profile_sctp                sctp                                                                                               secret        1
profile_clientssl           ****SCRUBBED-DUE-TO_PRIVACY****.com                                                                                  passphrase    1
profile_clientssl           ****SCRUBBED-DUE-TO_PRIVACY****.com-clientssl                                                                passphrase    1
clientssl_certkeychain      ****SCRUBBED-DUE-TO_PRIVACY****.com-clientssl 2023-CER-****SCRUBBED-DUE-TO_PRIVACY****_Private_CA_2022_0  passphrase    1
clientssl_certkeychain      ****SCRUBBED-DUE-TO_PRIVACY****.com 2016-CER-****SCRUBBED-DUE-TO_PRIVACY****.com                                                   passphrase    1
auth_tacacs_config          system-auth                                                                                        secret        1
app_cloud_security_service  f5-credential-stuffing-cloud-app                                                                   access_token  1
app_cloud_security_service  f5-global-cloud-app                                                                                access_token  1
-----------------------------------------------------------------------------------------------------------
Sys::Master-Key
-----------------------------------------------------------------------------------------------------------
master-key hash  <****SCRUBBED-DUE-TO_PRIVACY****==>
previous hash    <****SCRUBBED-DUE-TO_PRIVACY****==>

root@(Test-Box1-Active)(cfg-sync In Sync)(/S1-green-P::Standby)(/Common)(tmos)#

*****************************************************************************************************

For CLI Path to CSR folder use cd command and use TAB for autocomplete in case if you are not sure of

root@(Test-Box1-Active)(cfg-sync In Sync)(/S1-green-P::Standby)(/Common)(tmos)#

root@(Test-Box1-Active)(cfg-sync In Sync)(/S1-green-P::Standby)(/Common)(tmos)# bash

[root@Test-Box1-Active:/S1-green-P::Standby:In Sync] ~ # cd /config/s

snmp/        ssh/         ssl/         startup      statsd.conf

[root@Test-Box1-Active:/S1-green-P::Standby:In Sync] ~ # cd /config/ssl/

.f5km-lastlog  ssl.crl/       ssl.crt/       ssl.csr/       ssl.key/

[root@Test-Box1-Active:/S1-green-P::Standby:In Sync] ~ # cd /config/ssl/ssl.csr/

[root@Test-Box1-Active:/S1-green-P::Standby:In Sync] ssl.csr # ls

2015-***-****.***.com.csr

[root@Test-Box1-Active:/S1-green-P::Standby:In Sync] ssl.csr # ls -la

total 12

drwxr-xr-x. 2 root root 4096 Nov  4 14:03 .

drwxr-xr-x. 6 root root 4096 Oct  9 18:51 ..

-rw-r--r--. 1 root root 1541 Dec 11  2015 2015-***-****.***.com.csr

[root@Test-Box1-Active:/S1-green-P::Standby:In Sync] ssl.csr #

To read the content of the csr file either use list command or to read the file use cat command.

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/DEV)(tmos)# list sys crypto

Options:

  all-properties           current-module           non-default-properties   one-line                 recursive                |                       

Modules:

  cert-validator           fips                    

Components:

  acceleration-strategy    allow-key-export         ca-bundle-manager        cert                     cert-order-manager       client                   crl                      csr                      key                      server   

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/DEV)(tmos)# list sys crypto cert

Modules:

  cert-validator      

Components:

  cert                 cert-order-manager  

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/DEV)(tmos)# list sys crypto cert

Options:

  all                                               |                                                

Properties:

  app-service                                       fingerprint                                       {                                                

Configuration Items:

  2022-CER-********************   2023-CER-*************.com  

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/DEV)(tmos)# list sys crypto cert ?

Options:

  all                  Apply the command to all configuration items

  |                    Route command output to a filter

Identifier:

  [object identifier]  Certificate name/identifier

Properties:

  "{"                  Optional delimiter

  app-service

  fingerprint          Displays the SHA-256 fingerprint of the certificate.

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/DEV)(tmos)#

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/Common)(tmos)# list sys crypto

Options:

  all-properties           current-module           non-default-properties   one-line                 recursive                |                       

Modules:

  cert-validator           fips                    

Components:

  acceleration-strategy    allow-key-export         ca-bundle-manager        cert                     cert-order-manager       client                   crl                      csr                      key                      server

TestAdmin1@(Test-Box1-Active)(cfg-sync In Sync)(/S2-green-P::Active)(/Common)(tmos)# list sys crypto all-properties

====================================

Output has been Omitted due to Privacy reason

===================================

for GUI I always use to connect my f5 boxes using WINSCP

When you select in WinSCP protocol SCP, you are not able to list folder content. This is cause because by default, you have access to TMSH and not to bash.

Recommended Actions

Reconfiguration of WinSCP.
1) Save your session in WinSCP

2) In Edit -> Advanced -> "Environment -> SCP/Shell" -> in shell field - manually put only "bash" command (do not select "/bin/bash")

3) Save profile

Additional Information
Access to list files via WinSCP and SCP protocol require using Administrator Role user (user need to be able to jump from tmos to bash when is connected via SSH).

Kindly rate if it helps.

F5 Design Engineer

HI,

try the command - tmsh show /config/bigconfig/ssl.csr/

BR
Aswin

Hi,

CSR Directory:

cd /config/ssl/ssl.csr/

Follow the article to how to manage the certs

https://my.f5.com/manage/s/article/K15462#:~:text=Therefore%2C%20F5%20recommends%20that%20you,change%20to%20the%20filestore%20directory.&text=Find%20the%20newly%20signed%20CSR,and%20continue%20to%20step%205.&text=To%20import%20the%20certificate%20that,the%20. 

f5Subrun It depends on which CSR you're looking for. Is this for the device SSL cert in the GUI or is this for SSL certs for terminating HTTPS on the F5?