Generate private key w/ CSR via iControl REST
Problem this snippet solves:
Generate a private key w/ CSR
How to use this snippet:
To create a private key with a CSR via iControl REST:
POST URL: https://10.1.1.165/mgmt/tm/sys/crypto/key
Use the data below as your payload.
For the name field, it must end in .key or you will get a false 404!
Code :
{ "name":"www.testing.com.key", "commonName":"www.testing.com", "keySize":"4096", "keyType":"rsa-private", "options":[{"gen-csr":"www.testing.com"}], "organization":"Let It Snow Corp.", "ou":"Ice Engineering", "city":"Calhoun", "state":"AZ", "admin-email-address":"jerry@letit.snow", "email-address":"beth@letit.snow", "subject-alternative-name":"DNS:www.testing.com", "challenge-password":"myP4ssword" }
Tested this on version:
13.0- ZdendaCirrus
How can I specify a partition? When added to JSON it seems to be ignored
- B_EarpAltocumulus
Tested Version 16.1.3
#!/bin/bash ### Set Variables ### fqdn="www.testing1.com" bigip="mybigip.company.com" partition="myPartition" username="myUsername" password="myPassword" subjectAlternativeName="DNS:www.testing2.com,DNS:www.testing3.com"" ### Set Data ### data='{ "name":"'"$fqdn"'.key", "commonName":"'"$fqdn"'", "partition":"'"$partition"'", "keySize":"4096", "keyType":"rsa-private", "options":[{"gen-csr":"'"$fqdn"'"}], "organization":"ACME Inc ", "ou":"IT Security", "city":"Houston", "state":"Texas", "country":"US", "subject-alternative-name":"DNS:'"$fqdn"','"$subjectAlternativeName"'" }' ### Create Key & CSR ### curl -sku $username:$password -X POST -H "Content-Type: application/json" -d "$data" https://$bigip/mgmt/tm/sys/crypto/key ### Download CSR ### function list_csr() { data="{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh list sys crypto csr /"$partition"/"$fqdn".key \| grep -ve \'sys crypto\' -ve \'}\' -ve \' \' '\"}" curl -sku $username:$password -H "Content-Type: application/json" -X POST https://$bigip/mgmt/tm/util/bash -d "$data" | jq -r '.commandResult' | awk '/-----BEGIN CERTIFICATE REQUEST-----/,/-----END CERTIFICATE REQUEST-----/' } ### Write CSR to a file ### list_csr > "$fqdn".csr ### new line ### echo -e "\n" ### Verify CSR ### openssl req -text -noout -verify -in "$fqdn".csr ### Open CSR in default program ### explorer "$fqdn".csr
It is failing when we use wildcard common name i.e '*.abc.example.com'. Appreciate your help.
- Tushar_JagdaleNimbostratus
Hi Gregory,
Thanks for the post! is there a GET or any other API to pull the newly created/generated CSR?
Regards,
- G-RobEmployee
Tushar,
Take a look at this: https://devcentral.f5.com/s/question/0D51T00006i7del/export-a-fips-based-csr-certificate-signing-request-via-icontrol
Let me know if that doesn't help.
- Abdessamad1Cirrostratus
The same can be done with python SDK:
mgmt.tm.sys.crypto.keys.key.create(name='www.testing.com.key', options=[{"gen-csr":"www.testing.com"}], commonName='www.testing.com', country='BE', city='Brussels', organization='AEL Lab', ou='IT', subjectAlternativeName='DNS:www.testing.com, DNS:testing.com')
But couldn't find a way to retrieve the CSR file or text directly with SDK? I guess we have to go via mgmt.tm.util.bash.exec_cmd
- newbieF5guyNimbostratus
This helped me a lot!
Gregory do you know from here how I could retrieve the CSR and key text directly using the iControl RestAPI?
- G-RobEmployee
Check out this post: https://devcentral.f5.com/s/question/0D51T00006i7d2P/is-there-a-way-to-download-export-the-actual-key-rsa-certificate-files-from-bigip-using-the-icontrol-rest
Unfortunately I don't think there is a way to do it via iControl REST.
- Muhammad_RafiNimbostratus
add the following key pair in the above payload, it works for me
"partition":"PART1",
note: replace PART1 with your partition you want to generate the key on.
- ishhyd82Nimbostratus
Can you please share the code which worked for you?
- Muhammad_RafiNimbostratus
Here is the pay payload and URI for the CSR generations
https://{{bigip}}/mgmt/tm/sys/crypto/csr
Please note, you need to have key generated before prior to create the CSR.
{ "name": "www.example.com", "commonName": "www.example.com", "partition":"TENANT_2", "key": "www.example.com.key", "organization": "Cutomer4", "ou": "Engineering", "city": "London", "state_or_province_name": "England", "country": "UK", "email-address": "customer4@example2.com" }