Forum Discussion

sidxzx's avatar
sidxzx
Icon for Nimbostratus rankNimbostratus
Mar 25, 2020

Get list of all certificates and their correspondantes keys through the REST API (or cli) in BIG-IP

Hello,

Is it possible to get all certificates and their correspondantes keys with an api call, i've tried :

 curl -k -u admin:admin -H "Content-Type: application/json" -X GET  https://big-ip/mgmt/tm/sys/file/ssl-cert

but it gives me info about the certs and not their keys.

Same with:

tmsh list sys file ssl-cert all

No information about where to find the key.

However, in the GUI I can see in System> Certificate management > Traffic Certificate Management > SSL Certificate List information about the certificates, its key and the CSR. So is there a way to get all of this information through the REST API ?

2 Replies

  • Hello sidxzx.

    Something you can do is to execute a BASH command using REST API.

    curl -sku admin:<PASSWORD> -H "Content-Type: application/json" -X POST https://<MGMT_IP>/mgmt/tm/util/bash -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'\"}" | sed 's/\\n/\n/g'
    {
    "kind":"tm:util:bash:runstate",
    "command":"run",
    "utilCmdArgs":"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'",
    "commandResult":"
    -----BEGIN CERTIFICATE-----
    ...<CERTIFICATE_FILE>...
    -----END CERTIFICATE-----
    "}

    Usually certificates are located in "/config/filestore/files_d/Common_d/certificate_d/".

    KR,

    Dario.

  • If you want to find the private key that corresponds to a particular certificate, you need to:

    1) Get the certificate. See Mario's answer (i.e., POST /mgmt/tm/util/bash). The following Python trick gives you just the certificate part. Redirect the output to a file.

    ... iControl REST bash call ... | python -c 'import sys,json; o=json.load(sys.stdin); print o["commandResult"]'

    (I know. Some prefer jq)

    2) Get the list of keys from /mgmt/tm/sys/file/ssl-cert: e.g.,

    curl -sku $PASS https://$HOST/mgmt/tm/sys/file/ssl-cert | \
    python -c 'import sys,json; o=json.load(sys.stdin); print "\n".join([x["systemPath"] for x in o["items"]])'

    3) Get all the keys. See the Mario's answer.

    4) Extract the modulus part from the certificate and all keys: e.g. (<file> here comes from Step 1 and 3),

    openssl x509 -noout -modulus -in <file>| awk -F= '{print $2}'

    Find the key that has the same modulus as the certificate.

    It would be a good idea to write a script that performs the matching on the target BIG-IP and returns the key name, and call it from iControl REST. That reduces the amount of calls (because certs and keys are found locally on BIG-IP).