Generate private key w/ CSR via iControl REST

10 Comments

Zdenda
Cirrus
Mar 16, 2021
How can I specify a partition? When added to JSON it seems to be ignored

Altocumulus

Apr 24, 2024

Tested Version 16.1.3

#!/bin/bash

### Set Variables ###
fqdn="www.testing1.com"
bigip="mybigip.company.com"
partition="myPartition"
username="myUsername"
password="myPassword"
subjectAlternativeName="DNS:www.testing2.com,DNS:www.testing3.com""

### Set Data ###
data='{
"name":"'"$fqdn"'.key",
"commonName":"'"$fqdn"'",
"partition":"'"$partition"'",
"keySize":"4096",
"keyType":"rsa-private",
"options":[{"gen-csr":"'"$fqdn"'"}],
"organization":"ACME Inc ",
"ou":"IT Security",
"city":"Houston",
"state":"Texas",
"country":"US",
"subject-alternative-name":"DNS:'"$fqdn"','"$subjectAlternativeName"'"
}'

### Create Key & CSR ###
curl -sku $username:$password -X POST -H "Content-Type: application/json" -d "$data" https://$bigip/mgmt/tm/sys/crypto/key

### Download CSR ###
function list_csr() {
    data="{\"command\":\"run\",\"utilCmdArgs\":\"-c 'tmsh list sys crypto csr /"$partition"/"$fqdn".key \| grep -ve \'sys crypto\' -ve \'}\' -ve \' \' '\"}"
    curl -sku $username:$password -H "Content-Type: application/json" -X POST https://$bigip/mgmt/tm/util/bash -d "$data" | jq -r '.commandResult' | awk '/-----BEGIN CERTIFICATE REQUEST-----/,/-----END CERTIFICATE REQUEST-----/'
}

### Write CSR to a file ###
list_csr > "$fqdn".csr

### new line ###
echo -e "\n"

### Verify CSR ###
openssl req -text -noout -verify -in "$fqdn".csr

### Open CSR in default program ###
explorer "$fqdn".csr

Tushar_Jagdale
Nimbostratus
Feb 20, 2020
Hi Gregory,
Thanks for the post! is there a GET or any other API to pull the newly created/generated CSR?
Regards,
G-Rob
Employee
Feb 20, 2020
Tushar,

Take a look at this: https://devcentral.f5.com/s/question/0D51T00006i7del/export-a-fips-based-csr-certificate-signing-request-via-icontrol

Let me know if that doesn't help.

Abdessamad1

Cirrostratus

Apr 13, 2020

The same can be done with python SDK:

mgmt.tm.sys.crypto.keys.key.create(name='www.testing.com.key', options=[{"gen-csr":"www.testing.com"}], commonName='www.testing.com', country='BE', city='Brussels', organization='AEL Lab', ou='IT', subjectAlternativeName='DNS:www.testing.com, DNS:testing.com')

But couldn't find a way to retrieve the CSR file or text directly with SDK? I guess we have to go via mgmt.tm.util.bash.exec_cmd

newbieF5guy
Nimbostratus
May 18, 2020
This helped me a lot!

Gregory do you know from here how I could retrieve the CSR and key text directly using the iControl RestAPI?
G-Rob
Employee
May 18, 2020
Check out this post: https://devcentral.f5.com/s/question/0D51T00006i7d2P/is-there-a-way-to-download-export-the-actual-key-rsa-certificate-files-from-bigip-using-the-icontrol-rest

Unfortunately I don't think there is a way to do it via iControl REST.
Muhammad_Rafi
Nimbostratus
Jun 08, 2021
add the following key pair in the above payload, it works for me
"partition":"PART1",

note: replace PART1 with your partition you want to generate the key on.
ishhyd82
Nimbostratus
Oct 06, 2021
Can you please share the code which worked for you?

Muhammad_Rafi

Nimbostratus

Oct 10, 2021

Here is the pay payload and URI for the CSR generations

https://{{bigip}}/mgmt/tm/sys/crypto/csr

Please note, you need to have key generated before prior to create the CSR.

{  
	"name": "www.example.com",  
	"commonName": "www.example.com",
    "partition":"TENANT_2",  
	"key": "www.example.com.key",  
	"organization": "Cutomer4",  
	"ou": "Engineering",  
	"city": "London",  
	"state_or_province_name": "England",
    "country": "UK",
	"email-address": "customer4@example2.com"
}