Forum Discussion
mhite_60883
Aug 23, 2012Cirrocumulus
This is what I do.
- Read the pem key and pem cert values into strings "cert_pem_data" and "cert_key_data"
- Automatically generate an identifier from the certificate subject CN.
In Python, it looks something like:
derive identifier from cert_pem_data
log.info("Determining certificate subject CN...")
x509 = crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem_data)
for component in x509.get_subject().get_components():
if component[0].lower() == "cn":
subject_cn = component[1]
log.info("CN is \"%s\"." % subject_cn)
log.debug("Scrubbing subject CN to create certificate/key identifier...")
identifier = replace_all(subject_cn, {'*': 'wildcard'}).strip()
log.debug("identifier = %s" % identifier)
- Upload the pem key / cert
management_mode_type = b.Management.KeyCertificate.typefactory.create("Management.KeyCertificate.ManagementModeType")
b.Management.KeyCertificate.certificate_import_from_pem(mode=management_mode_type.MANAGEMENT_MODE_DEFAULT, cert_ids=[identifier], pem_data=[pem_data], overwrite=True)
time.sleep(3)
b.Management.KeyCertificate.key_import_from_pem(mode=management_mode_type.MANAGEMENT_MODE_DEFAULT, key_ids=[identifier], pem_data=[pem_data], overwrite=True)
- Notice the "sleep" statement. F5 has some growing pains with their new device sync groups. You will need to insert a sleep between these upload operations or else replication between F5's break.
I also have other code which generates the client SSL profile and creates the necessary bundle which includes an intermediate certificate.
Hope this helps.