Create Your Own Certificate Authority
Problem this snippet solves: The main goal of this article is to share an easy way to create your own Certificate Authority (CA) for your lab enviroment with APM module. REF - https://github.com/DariuSGB/LabCA This repository is composed by a set of scripts that give you an easy way to: Create your own root CA. Create your own intermediate CA, signed by your root CA. Create your own certs, signed by your intermediate CA or your root CA. Create your own OCSP cert, for using it in your OCSP responder. Create your own CRL cert, for using it directly in your APM. Revoke your certs (remember to refresh your CRL cert after that). Create your own PKCS#12 cert (from regular PEM certs/keys) for installing it in your windows enviroment. Invoke a OCSP responder of your certs enviroment (remember to create a OCSP cert first). How to use this snippet: Download and install your enviroment using these commands: git clone https://github.com/DariuSGB/LabCA.git cd LabCA chmod +x $(ls | grep -v README) Tested this on version: 14.1
How to install a cert and a key through Python SDK
I am trying to install a cert and a key through Python SDK. BIG-IP Version: 12.1.2 First.. I had no problem with uploading certs and keys to F5's /var/config/rest/downloads/ folder. Now when I tried the following python code to install cert and key, I didn't see any error. key = bitip.tm.sys.file.ssl_keys.ssl_key.create(name='test', partition='Common', sourcePath='file:/var/config/rest/downloads/test.key') cert = bitip.tm.sys.file.ssl_certs.ssl_cert.create(name='test', partition='Common', sourcePath='file:/var/config/rest/downloads/test.crt') However when I logged on BIG-IP device and clicked a cert or key to see their actual content, I couldn't see any content. "No certificate" under certificate tab and an error message of "An error has occurred while trying to process your request." under Key tab. Does any one know what is causing this problem? Or is there any way I can troubleshoot this issue? Thank you.
PSD2 client cert check and passthrough Subject DN
I have been asked to implement a client cert check with external CA's and if the check passes then pass through the client cert Subject DN to the backend application for checking and action by application. I am an F5 newbie but from my reading I don't want to have to create a certificate bundle on the device as it will need updated as the CA's change. Any help about how this can be done quickly would be appreciated. I have a pentest scheduled and I want to do a cert check fail and pass Thanks Richard
How to edit certificate ca bundle via iControl REST API
Hi, I have ssl certificates that have ca bundles. These ca bundles include multiple certificates. The usecase is that some of those certificaes expire and need to be deleted at some point in time. Previously I was using the iControl SOAP method to do that: https://clouddocs.f5.com/api/icontrol-soap/Management__KeyCertificate__certificate_delete_from_bundle.html Unfortunately, this is no longer supported in the new version of BigIP. This is why we need to move to use iControl REST in order to acomplish the same goal. However, I was not able to find how to perform the same operation using iControl REST. What I was looking at was the following iControl REST API: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_sys_file_ssl-cert.html In this API there is a subcollection "bundle-certificates". However, as far as I can see in the documentation, this subcollection is read-only. It can not be modified using iControl REST. Does anyone has an idea how to remove a certificate from the ca bundle of a given certificate using iControl REST API? Regards, Rashid
iPad cert based auth not working
Has anyone here recently experienced an issue with cert based auth with iPads? I have configured LTM v13.1.1 with CBA via the client SSL profile, it’s working fine with iPhones, Edge & Chrome browsers with Win10 clients etc, only iPads have an issue. Issue appears to be related to iPads running v12.x onwards. Certs are being deployed via MDM, an iPad with v11.x was working ok until upgraded to v12.4.1 Also tested on beta IOS v13 today with same outcome. Clicking on link with auth using x509 cert results in page cannot be displayed SSL error. No client cert auth prompt is displayed. Anyone else?
