Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

How to make a password-protected private key via REST

Wyko
Nimbostratus
Nimbostratus

‎11-Jul-2023 17:20 - edited ‎11-Jul-2023 17:21

Hey everyone! 

Does anyone know how to use a REST command to create a password protected key? I tried the following, but it gave me the error: 

 

 {"code":400,"message":"\"passphrase\" may not be specified in the context of the \"create\" command. \"passphrase\" may be specified using the following commands: install","errorStack":[],"apiError":26214401}

 

 

 

payload = {
    "name": f"{fqdn}-key-{datetime.utcnow().strftime('%Y%m%d%H%M%S')}.key",
    "commonName": options.common_name,
    "keySize": options.key_size,
    "keyType": "rsa-private",
    "options": [{"gen-csr": "www.testing.com"}],
    "organization": options.organization,
    "city": options.city,
    "state": options.state,
    "emailAddress": options.email,
    "subjectAlternativeName": sans,
    "passphrase": password,
    "securityType": "password",
}

r = await ltm.post("mgmt/tm/sys/crypto/key", json=payload, raise_err=False)

 

 

 

 

Labels:
1 REPLY 1

JRahm
Community Manager
Community Manager

‎12-Jul-2023 15:28

Hi @Wyko, I could be off-base, but I don't think you can create the key this way. I believe you need to create the key from command line, either locally on a box and upload it to BIG-IP, or create it on command line on BIG-IP itself. Once that step is done, then you can create the file reference to that key with the REST methods.

That said, I would not recommend using the /tm/sys/crypto/key method, as the /tm/sys/crypto methods have been deprecated for a while, but rather the /tm/sys/file/ssl-key method instead. When using the latter method, you'll want to define sourcePath attribute like "file:///var/config/rest/downloads/my.key" or whereever you uploaded/created the key. So the data that you would POST to /tm/sys/file/ssl-key would look something like (using the bigrest python iControl REST wrapper here):

from bigrest.bigip import BIGIP

b = BIGIP('mybigip.local', 'admin', 'admin', session_verify=False)

key_data = {'name': 'testkey.key',
            'keySize': 2048,
            'keyType': 'rsa-private',
            'passphrase': 'encrypted passphrase here',
            'securityType': 'password',
            'sourcePath': 'file:///var/config/rest/downloads/mytestkey.key'
            }
response = b.create('/mgmt/tm/sys/file/ssl-key', key_data)

 This assumes of course you've created the key and moved it or uploaded it to the BIG-IP /var/config/rest/downloads folder.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
Copyright © 2023 Khoros, LLC