Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Get list of all certificates and their correspondantes keys through the REST API (or cli) in BIG-IP

sidxzx
Nimbostratus
Nimbostratus

‎25-Mar-2020 03:24

Hello,

 

Is it possible to get all certificates and their correspondantes keys with an api call, i've tried :

 curl -k -u admin:admin -H "Content-Type: application/json" -X GET  https://big-ip/mgmt/tm/sys/file/ssl-cert

but it gives me info about the certs and not their keys.

Same with:

tmsh list sys file ssl-cert all

 

No information about where to find the key.

 

However, in the GUI I can see in System> Certificate management > Traffic Certificate Management > SSL Certificate List information about the certificates, its key and the CSR. So is there a way to get all of this information through the REST API ?

 

Labels:
0 Kudos
2 REPLIES 2

Dario_Garrido
MVP
MVP

‎06-Apr-2020 14:35

Hello sidxzx.

 

Something you can do is to execute a BASH command using REST API.

curl -sku admin:<PASSWORD> -H "Content-Type: application/json" -X POST https://<MGMT_IP>/mgmt/tm/util/bash -d "{\"command\":\"run\",\"utilCmdArgs\":\"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'\"}" | sed 's/\\n/\n/g' { "kind":"tm:util:bash:runstate", "command":"run", "utilCmdArgs":"-c 'cat /config/filestore/files_d/Common_d/certificate_d/:Common:CERT-IDP.crt_40359_1'", "commandResult":" -----BEGIN CERTIFICATE----- ...<CERTIFICATE_FILE>... -----END CERTIFICATE----- "}

Usually certificates are located in "/config/filestore/files_d/Common_d/certificate_d/".

 

KR,

Dario.

Regards,
Dario.
0 Kudos

Satoshi_Toyosa1
F5 Employee
F5 Employee

‎06-Apr-2020 20:57

If you want to find the private key that corresponds to a particular certificate, you need to:

 

1) Get the certificate. See Mario's answer (i.e., POST /mgmt/tm/util/bash). The following Python trick gives you just the certificate part. Redirect the output to a file.

... iControl REST bash call ... | python -c 'import sys,json; o=json.load(sys.stdin); print o["commandResult"]'

(I know. Some prefer jq)

 

2) Get the list of keys from /mgmt/tm/sys/file/ssl-cert: e.g.,

curl -sku $PASS https://$HOST/mgmt/tm/sys/file/ssl-cert | \ python -c 'import sys,json; o=json.load(sys.stdin); print "\n".join([x["systemPath"] for x in o["items"]])'

3) Get all the keys. See the Mario's answer.

 

4) Extract the modulus part from the certificate and all keys: e.g. (<file> here comes from Step 1 and 3),

openssl x509 -noout -modulus -in <file>| awk -F= '{print $2}'

Find the key that has the same modulus as the certificate.

 

It would be a good idea to write a script that performs the matching on the target BIG-IP and returns the key name, and call it from iControl REST. That reduces the amount of calls (because certs and keys are found locally on BIG-IP).

0 Kudos
Copyright © 2023 Khoros, LLC