Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

How to make a password-protected private key via REST


Hey everyone! 

Does anyone know how to use a REST command to create a password protected key? I tried the following, but it gave me the error: 


 {"code":400,"message":"\"passphrase\" may not be specified in the context of the \"create\" command. \"passphrase\" may be specified using the following commands: install","errorStack":[],"apiError":26214401}




payload = {
    "name": f"{fqdn}-key-{datetime.utcnow().strftime('%Y%m%d%H%M%S')}.key",
    "commonName": options.common_name,
    "keySize": options.key_size,
    "keyType": "rsa-private",
    "options": [{"gen-csr": ""}],
    "organization": options.organization,
    "state": options.state,
    "subjectAlternativeName": sans,
    "passphrase": password,
    "securityType": "password",

r = await"mgmt/tm/sys/crypto/key", json=payload, raise_err=False)






Community Manager
Community Manager

Hi @Wyko, I could be off-base, but I don't think you can create the key this way. I believe you need to create the key from command line, either locally on a box and upload it to BIG-IP, or create it on command line on BIG-IP itself. Once that step is done, then you can create the file reference to that key with the REST methods.

That said, I would not recommend using the /tm/sys/crypto/key method, as the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead. When using the latter method, you'll want to define sourcePath attribute like "file:///var/config/rest/downloads/my.key" or whereever you uploaded/created the key. So the data that you would POST to /tm/sys/file/ssl-key would look something like (using the bigrest python iControl REST wrapper here):

from bigrest.bigip import BIGIP

b = BIGIP('mybigip.local', 'admin', 'admin', session_verify=False)

key_data = {'name': 'testkey.key',
            'keySize': 2048,
            'keyType': 'rsa-private',
            'passphrase': 'encrypted passphrase here',
            'securityType': 'password',
            'sourcePath': 'file:///var/config/rest/downloads/mytestkey.key'
response = b.create('/mgmt/tm/sys/file/ssl-key', key_data)

 This assumes of course you've created the key and moved it or uploaded it to the BIG-IP /var/config/rest/downloads folder.