Automate import of SSL Certificate, Key & CRL from BIG-IP to BIG-IQ

The functionality to automate the import of SSL cert & key from BIG-IP to BIG-IQ is available in the product starting BIG-IQ 7.0 and above. This script should not be used on BIG-IQ 7.0+ as it has not been tested on those versions.

This script will import all supported SSL Certificate, Key & CRL that exist as unmanaged objects on this BIG-IQ which can be found on the target BIG-IP.

Steps performed by the script:

• Gather certificate and key metadata (including cache-path) from BIG-IPs
• Download certificate and key file data from BIG-IPs
• Upload certificate and key file data to BIG-IQ

Prerequisite: Discover and import LTM services before using this script.The target BIG-IP will be accessed over ssh using the BIG-IP root account.

Installation: The script must be installed in BIG-IQ under /shared/scripts:

# mkdir /shared/scripts# chmod +x /shared/scripts/import-bigip-cert-key-crl.py

Command example:

# ./import-bigip-cert-key-crl.py <big-ip IP address>

​Enter the root user's password if prompted.

Allowed command line options:    -h                show this help message and exit    -l                 LOG_FILE, log to the given file name    --log-level   {debug,info,warning,error,critical}, set logging to the given level (default: info)    -p PORT     BIG-IP  ssh port (default: 22)

Result: Configuration > Certificate Management > Certificates & Keys

Before running the script:

After running the script:

Location of the scripts on GitHub: https://github.com/f5devcentral/f5-big-iq-pm-team

In case you BIG-IQ is running on Hardware:

Step 1: Install packages using pip, targeting a location of your choice

# mkdir py-modules# pip install --target py-modules requests argparse

Step 2: Run using python2.7, adding py-modules to the python path

# PYTHONPATH=py-modules python2.7 import-bigip-cert-key-crl.py <big-ip IP address>