Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ

The functionality to automate the import of SSL cert & key from BIG-IP to BIG-IQ is available in the product starting BIG-IQ 7.0 and above. This script should not be used on BIG-IQ 7.0+ as it has not been tested on those versions.

This script will import all supported SSL Certificate, Key & CRL that exist as unmanaged objects on this BIG-IQ which can be found on the target BIG-IP.

Steps performed by the script:

  • Gather certificate and key metadata (including cache-path) from BIG-IPs
  • Download certificate and key file data from BIG-IPs
  • Upload certificate and key file data to BIG-IQ

Prerequisite: Discover and import LTM services before using this script.The target BIG-IP will be accessed over ssh using the BIG-IP root account.

Installation: The script must be installed in BIG-IQ under /shared/scripts:

# mkdir /shared/scripts# chmod +x /shared/scripts/import-bigip-cert-key-crl.py

Command example:

# ./import-bigip-cert-key-crl.py <big-ip IP address>

​Enter the root user's password if prompted.

Allowed command line options:    -h                show this help message and exit    -l                 LOG_FILE, log to the given file name    --log-level   {debug,info,warning,error,critical}, set logging to the given level (default: info)    -p PORT     BIG-IP  ssh port (default: 22)


Result: Configuration > Certificate Management > Certificates & Keys

Before running the script:

After running the script:

Location of the scripts on GitHub: https://github.com/f5devcentral/f5-big-iq-pm-team


In case you BIG-IQ is running on Hardware:

Step 1: Install packages using pip, targeting a location of your choice

# mkdir py-modules# pip install --target py-modules requests argparse

Step 2: Run using python2.7, adding py-modules to the python path

# PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py <big-ip IP address>

Updated Jun 06, 2023
Version 3.0
application delivery
BIG-IP
BIG-IQ
certificate
ssl
  • Simon_Lodge's avatar
    Simon_Lodge
    Icon for Nimbostratus rankNimbostratus
    Sep 05, 2018

    Hi Roman,

     

    How does this script handle the import of cert/key pairs secured with passwords?

     

    Thanks,

     

    Simon

     

  • RomanJ's avatar
    RomanJ
    Ret. Employee
    Sep 05, 2018

    @Simon Lodge The script does not currently support import of cert/key protected with a password.

     

    We could think about improving the script to handle it so the user would manually enter the password if required. Is this something you would be interested to have?

     

  • Simon_Lodge's avatar
    Simon_Lodge
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2018

    Hi Roman,

     

    Firstly, thanks for the quick response.

     

    Ideally, it would be fantastic if you could get the script to ignore the cert/key pairs protected by password (perhaps by inserting a flag), then report on the pairs it has skipped due to this issue - is this something you would consider looking at?

     

    My particular problem is that I don't control the passwords set on cert/key pairs, the service owners do, and the F5 estate in my org currently holds approx. 15,000 SSL cert/key pairs, so following up with every service owner/group is very time-consuming and ultimately I don't have the resources to do so.

     

    If I had the option to import the non-secured cert/key pairs whilst retaining a record of what's left that would allow me to start managing these whilst defining a standard set of passwords to secure cert/key pairs going forward.

     

    Many thanks,

     

    Simon

     

  • RomanJ's avatar
    RomanJ
    Ret. Employee
    Sep 10, 2018

    Actually, the current script already ignore the certs/keys with a passwords and give you a warning with the name of the key. The other object without password should be imported correctly.

    2018-09-10 14:40:20,787:WARNING:Associate for Key /var/config/rest/downloads/:Common:myprivkey.key_112988_2 was not successful, final task state: {u'status': u'FAILED', ....

    Thanks & Regards,

  • Simon_Lodge's avatar
    Simon_Lodge
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2018

    Just tried it and it works great, thanks Roman!

     

    I've tested it on some lab boxes (containing approx. 200 SSL cert/key pairs) and no issues seen so far, I will let you know if I run into any issues when importing larger numbers of cert/key pairs from our production units. This addresses one major issue we've had with using BIGIQ as a centralised config manager - thanks again..

     

    Cheers,

     

    Simon

     

  • acurry583's avatar
    acurry583
    Icon for Altocumulus rankAltocumulus
    Oct 18, 2018

    Hi,

     

    Is there an option to ignore cert/key pairs with passwords. The passwords are the same, but the encryption makes them appear to be different, so there seems to be no way around this unless we name each cert/key profile different across each BIG-IP which would kind of defeat the process of using BIG-IQ. This is my hold up from importing...

     

  • RomanJ's avatar
    RomanJ
    Ret. Employee
    Oct 18, 2018

    Hello, The current script already ignore the certs/keys with a passwords and give you a warning with the name of the key. Cheers, Roman

     

  • acurry583's avatar
    acurry583
    Icon for Altocumulus rankAltocumulus
    Oct 18, 2018

    I see now! Thanks!

     

    My issue is with actually importing LTM services, not the certificate. The services will not import due to the encrypted output of the passwords being different. The passwords are the same but the encryption of it is different on each BIG-IP. Is there a script to get around that? See example below: The checksum is not allowing import of the certificate, but it is the same certificate, just uploaded to two different BIG-IPs.

     

     

  • goodsell_116980's avatar
    goodsell_116980
    Historic F5 Account
    Oct 19, 2018

    acurry583,

     

    It's strange that you would encounter a diff here. The keys and certs can only be imported from BIG-IP into BIG-IQ when the checksum matches, so I think the checksums must have been the same at the time you ran the import script. Typical workflow would go something like this:

     

    1. Discover & Import LTM from the BIG-IP to BIG-IQ. At this time the BIG-IQ and BIG-IP will have the same checksum for the file, but BIG-IQ will not have the file content.

       

    2. Run the import script. The script will copy the file content from BIG-IP and add it to the storage on BIG-IQ.

       

    Step 2 will only succeed if the file content matches the checksum that originally came from BIG-IP during step 1.

     

    This suggests that somewhere along the line you have modified the certificate. This does not appear to be related to passwords, since certificates don't use passwords (as far as I'm aware, anyway).

     

    The data we can see for the cert looks the same on both sides, so it may be that the meaningful file content is identical, but the actual bytes of the files differ (for example, whitespace could have been added or removed). If you are inclined, you could examine the two versions of the file (from BIG-IP and from BIG-IQ) and see what has changed (though I'm not sure there's an easy way to fetch the file data on BIG-IQ--I could get you details on how to locate it if necessary). However, if you are confident that the file on BIG-IP is correct then I would suggest just accepting the BIG-IP version (which should import the file metadata and leave it unmanaged on BIG-IQ) then re-running the file import script to pull in the file content. Or, alternatively, delete the BIG-IQ object, import LTM, then run the import script.