Generate private key w/ CSR via iControl REST

Problem this snippet solves:

Generate a private key w/ CSR

How to use this snippet:

To create a private key with a CSR via iControl REST:

 

POST URL: https://10.1.1.165/mgmt/tm/sys/crypto/key

Use the data below as your payload.


For the name field, it must end in .key or you will get a false 404!

Code :

{  
"name":"www.testing.com.key",  
"commonName":"www.testing.com",  
"keySize":"4096",  
"keyType":"rsa-private",  
"options":[{"gen-csr":"www.testing.com"}],  
"organization":"Let It Snow Corp.",  
"ou":"Ice Engineering",  
"city":"Calhoun",  
"state":"AZ",  
"admin-email-address":"jerry@letit.snow",  
"email-address":"beth@letit.snow",  
"subject-alternative-name":"DNS:www.testing.com",  
"challenge-password":"myP4ssword"  
}

Tested this on version:

13.0
Published Aug 13, 2019
Version 1.0
  • How can I specify a partition? When added to JSON it seems to be ignored

  •     Tested Version 16.1.3

    #!/bin/bash
    
    ### Set Variables ###
    fqdn="www.testing1.com"
    bigip="mybigip.company.com"
    partition="myPartition"
    username="myUsername"
    password="myPassword"
    subjectAlternativeName="DNS:www.testing2.com,DNS:www.testing3.com""
    
    ### Set Data ###
    data='{
    "name":"'"$fqdn"'.key",
    "commonName":"'"$fqdn"'",
    "partition":"'"$partition"'",
    "keySize":"4096",
    "keyType":"rsa-private",
    "options":[{"gen-csr":"'"$fqdn"'"}],
    "organization":"ACME Inc ",
    "ou":"IT Security",
    "city":"Houston",
    "state":"Texas",
    "country":"US",
    "subject-alternative-name":"DNS:'"$fqdn"','"$subjectAlternativeName"'"
    }'
    
    ### Create Key & CSR ###
    curl -sku $username:$password -X POST -H "Content-Type: application/json" -d "$data" https://$bigip/mgmt/tm/sys/crypto/key
    
    ### Download CSR ###
    function list_csr() {
        data="{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh list sys crypto csr /"$partition"/"$fqdn".key \| grep -ve \'sys crypto\' -ve \'}\' -ve \' \' '\"}"
        curl -sku $username:$password -H "Content-Type: application/json" -X POST https://$bigip/mgmt/tm/util/bash -d "$data" | jq -r '.commandResult' | awk '/-----BEGIN CERTIFICATE REQUEST-----/,/-----END CERTIFICATE REQUEST-----/'
    }
    
    ### Write CSR to a file ###
    list_csr > "$fqdn".csr
    
    ### new line ###
    echo -e "\n"
    
    ### Verify CSR ###
    openssl req -text -noout -verify -in "$fqdn".csr
    
    ### Open CSR in default program ###
    explorer "$fqdn".csr

     

    • Samir's avatar
      Samir
      Icon for MVP rankMVP

      It is failing when we use wildcard common name i.e '*.abc.example.com'. Appreciate your help.

  • Hi Gregory,

    Thanks for the post! is there a GET or any other API to pull the newly created/generated CSR?

    Regards,

  • Tushar,

     

    Take a look at this: https://devcentral.f5.com/s/question/0D51T00006i7del/export-a-fips-based-csr-certificate-signing-request-via-icontrol

     

    Let me know if that doesn't help.

  • The same can be done with python SDK:

    mgmt.tm.sys.crypto.keys.key.create(name='www.testing.com.key', options=[{"gen-csr":"www.testing.com"}], commonName='www.testing.com', country='BE', city='Brussels', organization='AEL Lab', ou='IT', subjectAlternativeName='DNS:www.testing.com, DNS:testing.com')

    But couldn't find a way to retrieve the CSR file or text directly with SDK? I guess we have to go via mgmt.tm.util.bash.exec_cmd

  • This helped me a lot!

     

    Gregory do you know from here how I could retrieve the CSR and key text directly using the iControl RestAPI?

  •  add the following key pair in the above payload, it works for me

    "partition":"PART1",

     

    note: replace PART1 with your partition you want to generate the key on.

  •  Here is the pay payload and URI for the CSR generations

    https://{{bigip}}/mgmt/tm/sys/crypto/csr

    Please note, you need to have key generated before prior to create the CSR.

    {  
    	"name": "www.example.com",  
    	"commonName": "www.example.com",
        "partition":"TENANT_2",  
    	"key": "www.example.com.key",  
    	"organization": "Cutomer4",  
    	"ou": "Engineering",  
    	"city": "London",  
    	"state_or_province_name": "England",
        "country": "UK",
    	"email-address": "customer4@example2.com"
    }