Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

Are you an expert?    Interested in presenting at F5 AppWorld 2024?    Submit a proposal by Nov 29th!

Upload LTM SSL Certificate and Key using REST API

Shereif
Altostratus
Altostratus

‎20-Nov-2023 09:50

I'm trying to upload and existing certificate and key using the API but I can't find a working way so far.

The Idea is to upload the cert and key, then later reference them in an AS3 declaration. I am aware that I can directly reference the cert and key content in AS3 but due to how the process works, I want to upload the files first then later reference them in an AS3 declaration.

Thank yo in advance

Regards,

Shereif

 

Labels:
0 Kudos
5 REPLIES 5

JRahm
Community Manager
Community Manager

‎20-Nov-2023 17:26 - edited ‎20-Nov-2023 17:28

Hi @Shereif, from AS3, you can reference them in the declaration as BIG-IP objects like this:

 

"certs_on_bigip": {
    "class": "Certificate",
    "certificate": {
        "bigip":"/Common/my.test.local.crt"
    },
    "privateKey": {
        "bigip":"/Common/my.test.local.key"
    }
}

 

As far as uploading them with iControl REST directly, you need to upload the files, then use the

  • /mgmt/tm/sys/file/ssl-key
  • /mgmt/tm/sys/file/ssl-cert

endpoints to "import" them as BIG-IP objects. Note that you'll need to do any updates to cert/key pairs in use as BIG-IP objects on ssl profiles in a transaction. (there are definitely benefits to managing this in AS3 instead)

Anyway, here's an example of how that's done in python in my Let's Encrypt cert automation repo on Github:

https://github.com/f5devcentral/lets-encrypt-python/blob/main/hook_script.py#L74-L108

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

Shereif
Altostratus
Altostratus
In response to JRahm

‎21-Nov-2023 06:14

Thank you  for getting back.

I probably should have elaborated a little bit more on my scenario

I have my own python wrapper for the BIGIP API ( not using the SDK ), assuming that there is a platform that I can API to generate certificates and keys ( not F5 ), now in my program I have the actual cert and key text in memory and I don't want to write them on disc and then upload them

given the two API endpoints you mentioned

/mgmt/tm/sys/file/ssl-key
/mgmt/tm/sys/file/ssl-cert

what would the API call look like, there are a few keys that should be sent in the POST body here APIRef_tm_sys_file_ssl-key (f5.com) but I can't figure out thow to just send the cert and key text, without refering to a file on disc

hypothetical call using /mgmt/tm/sys/file/ssl-key and using a partition that is not Common

POST request with JSON body as following

{
    "name": "mykey.key",
    "tmPartition": "Partition1",
    "whatkey?": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA6E4h6p1AaatxTQ0BZqEu987eMMz+embO+VBtrlnVddsdXdc-----END RSA PRIVATE KEY-----\n"
}

after making that hypothetical call, the key should now be recognized on the F5 as mykey.key and I can reference it in the AS3 as you mentioned earlier.

I hope that cleared the scenario.

note: if there's a postman request example for the above scenario that would be great

Regards,

Shereif

0 Kudos

JRahm
Community Manager
Community Manager
In response to Shereif

‎21-Nov-2023 06:19

Hi @Shereif I don't think that won't work in the icontrol rest interface, but I'll do a little digging.

you can do this directly with an AS3 declaration though.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

JRahm
Community Manager
Community Manager
In response to JRahm

‎21-Nov-2023 14:00

you can reference a sourcePath object from cert/key creation, but that has to exist in a file or from ftp/http target. If your python wrapper wanted to serve up that cert/key as a web route in flask/fastapi/pyramid, etc...that might work for you, otherwise you'll need to use AS3 declaration to send as strings.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral
0 Kudos

Shereif
Altostratus
Altostratus
In response to JRahm

‎23-Nov-2023 02:39

@JRahm Thank you for getting back.

I wish there was a way where we can use the iControl REST to upload the cert and key payloads directly, that would make life much easier.

nonetheless, Thank you for looking into this

Regards,

Shereif

Copyright © 2023 Khoros, LLC