Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ

Hi Roman,

How does this script handle the import of cert/key pairs secured with passwords?

Thanks,

Simon

@Simon Lodge The script does not currently support import of cert/key protected with a password.

We could think about improving the script to handle it so the user would manually enter the password if required. Is this something you would be interested to have?

Hi Roman,

Firstly, thanks for the quick response.

Ideally, it would be fantastic if you could get the script to ignore the cert/key pairs protected by password (perhaps by inserting a flag), then report on the pairs it has skipped due to this issue - is this something you would consider looking at?

My particular problem is that I don't control the passwords set on cert/key pairs, the service owners do, and the F5 estate in my org currently holds approx. 15,000 SSL cert/key pairs, so following up with every service owner/group is very time-consuming and ultimately I don't have the resources to do so.

If I had the option to import the non-secured cert/key pairs whilst retaining a record of what's left that would allow me to start managing these whilst defining a standard set of passwords to secure cert/key pairs going forward.

Many thanks,

Simon

Actually, the current script already ignore the certs/keys with a passwords and give you a warning with the name of the key. The other object without password should be imported correctly.

2018-09-10 14:40:20,787:WARNING:Associate for Key /var/config/rest/downloads/:Common:myprivkey.key_112988_2 was not successful, final task state: {u'status': u'FAILED', ....

Thanks & Regards,

Just tried it and it works great, thanks Roman!

I've tested it on some lab boxes (containing approx. 200 SSL cert/key pairs) and no issues seen so far, I will let you know if I run into any issues when importing larger numbers of cert/key pairs from our production units. This addresses one major issue we've had with using BIGIQ as a centralised config manager - thanks again..

Cheers,

Simon

Hi,

Is there an option to ignore cert/key pairs with passwords. The passwords are the same, but the encryption makes them appear to be different, so there seems to be no way around this unless we name each cert/key profile different across each BIG-IP which would kind of defeat the process of using BIG-IQ. This is my hold up from importing...

Hello, The current script already ignore the certs/keys with a passwords and give you a warning with the name of the key. Cheers, Roman

I see now! Thanks!

My issue is with actually importing LTM services, not the certificate. The services will not import due to the encrypted output of the passwords being different. The passwords are the same but the encryption of it is different on each BIG-IP. Is there a script to get around that? See example below: The checksum is not allowing import of the certificate, but it is the same certificate, just uploaded to two different BIG-IPs.

acurry583,

It's strange that you would encounter a diff here. The keys and certs can only be imported from BIG-IP into BIG-IQ when the checksum matches, so I think the checksums must have been the same at the time you ran the import script. Typical workflow would go something like this:

1. Discover & Import LTM from the BIG-IP to BIG-IQ. At this time the BIG-IQ and BIG-IP will have the same checksum for the file, but BIG-IQ will not have the file content.

    

2. Run the import script. The script will copy the file content from BIG-IP and add it to the storage on BIG-IQ.

    

Step 2 will only succeed if the file content matches the checksum that originally came from BIG-IP during step 1.

This suggests that somewhere along the line you have modified the certificate. This does not appear to be related to passwords, since certificates don't use passwords (as far as I'm aware, anyway).

The data we can see for the cert looks the same on both sides, so it may be that the meaningful file content is identical, but the actual bytes of the files differ (for example, whitespace could have been added or removed). If you are inclined, you could examine the two versions of the file (from BIG-IP and from BIG-IQ) and see what has changed (though I'm not sure there's an easy way to fetch the file data on BIG-IQ--I could get you details on how to locate it if necessary). However, if you are confident that the file on BIG-IP is correct then I would suggest just accepting the BIG-IP version (which should import the file metadata and leave it unmanaged on BIG-IQ) then re-running the file import script to pull in the file content. Or, alternatively, delete the BIG-IQ object, import LTM, then run the import script.

Will this work on code 6.1.0