cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Replacing vserver certificates (say for SSL offload) via CLI?

Fallout1984
Cirrocumulus
Cirrocumulus

I'm looking for an alternative to using the GUI for replacing a vserver's certificate. Sure if it's just one vserver it's not much work at all to swap certs via the GUI, however I have at least two instances where I have to replace the cert on eight vservers (multiple front-end ports configured) which is tedious. Another method would be to just change the cert/key/intermediate on the cert profile in use.

 

Surely there's a more efficient way of doing this via the CLI...

 

Thanks!

1 ACCEPTED SOLUTION

Yes, there is a way where you can update the certificates in the SSL profiles via cli. But you need to have the new certificate uploaded on the F5. If certificate is already uploaded on the F5, you can use below command to update new certificate under selected client and/or server SSL profile. Once you have proper certificate, key & profile name selected, you can update multiple certificates & key under ssl profiles in below commands in one go.

 

tmsh modify ltm profile <SSL-Profile-Type> <SSL-Profile-Name> cert <SSL-Certificate-Name> key <SSL-Key-Name>

If you are looking for importing certificate first (not using WebUI), then you can use SCP transfer. Once certificate & key file is transferred, first you need to install those files using below given commands. Once it is installed, you can use above command to update the certificate & key files under ssl profiles.

 

tmsh install sys crypto cert <SSL-certificate-name> from-local-file <path-to-certificate-file>tmsh install sys crypto key <SSL-key-name> from-local-file <path-to-key-file>

Ref. article for more details -

https://support.f5.com/csp/article/K14031

 

NOTE- After installing the certificates and/or keys, you must verify cert & key if it is properly installed before applying same under profiles.

 

This way you can manage these configurations via cli.

 

Hope it helps!

 

 

View solution in original post

2 REPLIES 2

Yes, there is a way where you can update the certificates in the SSL profiles via cli. But you need to have the new certificate uploaded on the F5. If certificate is already uploaded on the F5, you can use below command to update new certificate under selected client and/or server SSL profile. Once you have proper certificate, key & profile name selected, you can update multiple certificates & key under ssl profiles in below commands in one go.

 

tmsh modify ltm profile <SSL-Profile-Type> <SSL-Profile-Name> cert <SSL-Certificate-Name> key <SSL-Key-Name>

If you are looking for importing certificate first (not using WebUI), then you can use SCP transfer. Once certificate & key file is transferred, first you need to install those files using below given commands. Once it is installed, you can use above command to update the certificate & key files under ssl profiles.

 

tmsh install sys crypto cert <SSL-certificate-name> from-local-file <path-to-certificate-file>tmsh install sys crypto key <SSL-key-name> from-local-file <path-to-key-file>

Ref. article for more details -

https://support.f5.com/csp/article/K14031

 

NOTE- After installing the certificates and/or keys, you must verify cert & key if it is properly installed before applying same under profiles.

 

This way you can manage these configurations via cli.

 

Hope it helps!

 

 

Thanks for the info!