Updating SSL Certificates on BIG-IP using REST API

Managing SSL certificates is a critical part of securing your infrastructure, and BIG-IP makes this process easier with its API. In this tutorial, we’ll walk you through the steps to update SSL certificates on a BIG-IP system using REST API commands. 

Prerequisites

Before we begin, ensure you have the following:

1. Access to your BIG-IP system's REST API.
2. Admin credentials for the BIG-IP system.
3. The SSL certificate (test.crt) and private key (test.key) files.
4. cURL installed on your machine.

While the commands in this tutorial use basic authentication (username:password) for simplicity, it is highly recommended to use token-based authentication for improved security.

 
Step 1: Upload the SSL Certificate

First, we need to upload the SSL certificate file to the BIG-IP system.

curl -i -sk -u admin:your-password -X POST \
-H "Content-Type: application/octet-stream" \
-H "Content-Range: 0-1253/1254" \
--data-binary "@test.crt" \
https://<BIG-IP-ADDRESS>:8443/mgmt/shared/file-transfer/uploads/mycert.crt

Key Points:

• Replace your-password with your admin password.
• Replace <BIG-IP-ADDRESS> with your BIG-IP system’s address.
• The --data-binary "@test.crt" specifies the certificate file to upload.
• The file is uploaded to the uploads directory on the BIG-IP system.

Step 2: Upload the Private Key

Similarly, upload the private key file:

curl -i -sk -u admin:your-password -X POST \
-H "Content-Type: application/octet-stream" \
-H "Content-Range: 0-1253/1254" \
--data-binary "@test.key" \
https://<BIG-IP-ADDRESS>:8443/mgmt/shared/file-transfer/uploads/mycert.key

Step 3: Install the SSL Certificate

Once uploaded, install the certificate on the BIG-IP system:

curl -sk -u admin:your-password -H "Content-Type: application/json" -X POST \
-d '{"command":"install","name":"mycert","from-local-file":"/var/config/rest/downloads/mycert.crt"}' \
https://<BIG-IP-ADDRESS>:8443/mgmt/tm/sys/crypto/cert

Key Points:

• The command: install action places the certificate into the system's certificate store.
• The from-local-file parameter specifies the file location of the uploaded certificate.

Step 4: Install the Private Key

Next, install the private key:

curl -sk -u admin:your-password -H "Content-Type: application/json" -X POST \
-d '{"command":"install","name":"mycert","from-local-file":"/var/config/rest/downloads/mycert.key"}' \
https://<BIG-IP-ADDRESS>:8443/mgmt/tm/sys/crypto/key

Key Points:

• The process is similar to the certificate installation.
• Ensure the key name matches the certificate name (mycert) for consistency.

Step 5: Update the SSL Profile

Finally, bind the new certificate and key to an existing clientssl profile:

curl -sk -u admin:your-password \
  -X PATCH \
  https://<BIG-IP-ADDRESS>:8443/mgmt/tm/ltm/profile/client-ssl/clientssl_test \
  -H "Content-Type: application/json" \
  -d '{
    "cert": "/Common/mycert",
    "key": "/Common/mycert"
  }'

Key Points:

• Replace clientssl_test with the name of your SSL profile.
• The cert and key values point to the installed certificate and key in /Common.

Conclusion

With these simple cURL REST API commands, you can seamlessly update SSL certificates on a BIG-IP system. This method is ideal for those who prefer automation and want to integrate the process into their workflows.

By following this guide, you’ve:

1. Uploaded a certificate and private key.
2. Installed them on the BIG-IP system.
3. Updated an SSL profile with the new certificate and key.