Patching additional TLS certificate to the existing virtual server

Question

Hi,I am New to AS3.tried following json file to patch the new TLS certificate to the existing virtual server however its not working. can you let me know what is the correct procedure ?{
&nbsp;&nbsp;"class":&nbsp;"AS3",
&nbsp;&nbsp;"action":&nbsp;"patch",
&nbsp;&nbsp;"patchBody":&nbsp;[
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"op":&nbsp;"add",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"path":&nbsp;"/tenanat/Application/private-vip/front-cert",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"value":&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"class":&nbsp;"TLS_Server",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"certificates":&nbsp;[
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"certificate":&nbsp;"frontend-cert"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;],
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"ciphers":&nbsp;"DEFAULT",&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"frontend-cert":&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"class":&nbsp;"Certificate",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"certificate":&nbsp;"-----BEGIN&nbsp;CERTIFICATE-----fsdfsdfdshfd-----END&nbsp;CERTIFICATE-----
",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"privateKey":&nbsp;"-----BEGIN&nbsp;PRIVATE&nbsp;KEY-----edfddsfdsfds-----END&nbsp;PRIVATE&nbsp;KEY-----
"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;},
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"private-vip":&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"layer4":&nbsp;"tcp",&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"class":&nbsp;"Service_HTTPS",&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"ServerTLS"&nbsp;:&nbsp;"front-cert",
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"redirect80":&nbsp;false,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"shareAddresses":&nbsp;true,
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"virtualAddresses":&nbsp;[
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"192.168.1.x"
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;]
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;]
}

aravind · Answer

after a little bit tweaking in the json file, i could see the new certificate and ssl profile is created in F5 however the association to the virtual server is not happening. following is the updated json file. {
  "class": "AS3",
  "action": "patch",
  "patchBody": [
    {
      "op": "add",
      "path": "/tenant/Application/front-cert",
      "value": {
        
          "class": "TLS_Server",
          
          "certificates": [
          {
          "certificate": "frontend-cert"
          }
          ],
          "ciphers": "DEFAULT"          
        }
    },
    {
      "op": "add",
      "path": "/tenant/Application/frontend-cert",
      "value": {          
          "class": "Certificate",
          "certificate": "-----BEGIN CERTIFICATE-----ffddedddd---END CERTIFICATE-----
",
          "privateKey": "-----BEGIN PRIVATE KEY-----ffdddeeessddd-----END PRIVATE KEY-----
"
          },
          "Application":{    
          "class": "Application",
          "private-vip-0.4": {
            "layer4": "tcp",            
            "class": "Service_HTTPS",        
            "serverTLS": "front-cert",
             "shareAddresses": true,
            "virtualAddresses": [
              "192.168.1.x"
            ]                     
          }
          }
    }
    
  ]
}I guess, by default this parameter is enabled "&nbsp;default SSL profile for SNI" in TLS_Server profile. due to this, the new ssl profile is not associated. tried looking at the api document for this parameter but could not find the specific key.

Forum Discussion

Patching additional TLS certificate to the existing virtual server

1 Reply

Recent Discussions

Advise on setting up IRULE

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Related Content

Patch Tuesday, cURL, passkey - October 8th - 14th, 2023 - F5 SIRT - This Week in Security

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Automating ACMEv2 Certificate Management on BIG-IP

My Security+ Certification Journey