cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

REST API documentation Certificate Order Manager

restwell
Nimbostratus
Nimbostratus

Hello guys,

 

I am in the progress of automating my certificate deployment on big ip. Because I am a customer at Sectigo (Comodo) I am using the new Certificate Order Manager feature (new since 15.0). Ofcourse, because I'm automating things, I started to learn how to talk to REST API's and so far I'm enjoying it but I feel the documentation is not what it should be.... Or that I might be missing something...

 

In this specific instance I generated a crypto key and csr and I found the "certOrderManager" property fairly quickly although it is not documented on https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_sys_crypto_key.html. It was a shot in the dark, but it worked.

However, after generating the CSR I need to tell the big-ip to request the certificate from Sectigo. it took me a few hours to finally find a solution on how to change its status to "New" so my big-ip does a call to Sectigo and requests the certificate.

 

All I had to do was send this piece of code to /mgmt/tm/sys/crypto/key/~resource id:

   "certOrderManager": {

       "My-Cert-Order-Manager-Profile": {

           "order-type": "new"

       }

   }

 

I tried this code because after searching for hours I decided to dig in the tmsh help (just on the box using ?) and just try until I found it.

 

Now my question: how do you find all the properties you need to configure? Are you supposed to do some guessing based on tmsh commands or am I missing a very important resource? For instance when I did a GET for this CertOrderManager I was only returned statistics, no properties like "order-type".

4 REPLIES 4

Mathieu_Sturm
Nimbostratus
Nimbostratus

Did you ever got this to work? I can create and revoke certificates through Sectigo. The renew function doesn't work. Is this working for you?

Hi Mathieu, yes I got it to work.

 

I however didn't trust the auto renew function (mostly due to the 5 certificates per 1 minute limitation of Sectigo and the fact that I have +/- 1500 certificates expiring on the same date) so I created a script to renew them before they expire. I have 20 less important certificates expiring by the end of november, they will be my test case for the renew function....

 

What specific issue do you have?

Mathieu_Sturm
Nimbostratus
Nimbostratus

After manually selecting Renew I get an error which says "Wrong method or empty parameter supplied". Is it possible to send me a screenshot of your configuration in the Certificate Order Manager List?

My email address is mathieu.sturm@hogent.be

You are correct, I'm seeing the same issue. Likely a bug:

 

Order Status   Auto Renew Order Rejected

Response:   

code   -14.0

description   Wrong method or empty parameter supplied