NimbostratusHi, I'm currently doing an LTM migration from 2 3400's running 10.2.2 to a new pair running 11.4.1. I was wondering if there is a way to bulk export all the certs and then import them into the new LTM's.
Appreciate the help!
-Jason
Hi Jason, I'm not aware of any easy way to do this. If I had to perform a bulk upload myself, I'd use a combination of bash and tmsh.
for i in `ls -1 /var/tmp/key`; do tmsh install sys crypto key $i from-local-file /var/tmp/key/$i; done
for i in `ls -1 /var/tmp/crt`; do tmsh install sys crypto cert $i from-local-file /var/tmp/crt/$i; done
tmsh save sys config
I tried this with three cert / key pairs:
tmsh list sys crypt key
sys crypto key siteone.key {
key-size 2048
key-type rsa-private
security-type normal
}
sys crypto key sitethree.key {
key-size 2048
key-type rsa-private
security-type normal
}
sys crypto key sitetwo.key {
key-size 2048
key-type rsa-private
security-type normal
}
tmsh list sys crypto cert
sys crypto cert siteone.crt {
certificate-key-size 2048
city Seattle
common-name localhost.localdomain
country US
email-address root@localhost.localdomain
expiration Dec 25 10:13:15 2023 GMT
organization MyCompany
ou IT
state WA
subject-alternative-name
}
sys crypto cert sitethree.crt {
certificate-key-size 2048
city Seattle
common-name localhost.localdomain
country US
email-address root@localhost.localdomain
expiration Dec 25 10:13:15 2023 GMT
organization MyCompany
ou IT
state WA
subject-alternative-name
}
sys crypto cert sitetwo.crt {
certificate-key-size 2048
city Seattle
common-name localhost.localdomain
country US
email-address root@localhost.localdomain
expiration Dec 25 10:13:15 2023 GMT
organization MyCompany
ou IT
state WA
subject-alternative-name
}
Cirrostratus
Employeeis there is a command to export the key/certs in bulk? In the GUI, you can export as an "archive" but it would be nice via CLI.
i am not aware of. anyway, cert and key files are in /config/filestore/files_d/Common_d/. also, by default they are included in ucs and scf file.
hope this helps.
NimbostratusOn my v11.2 box, I saved the config using SCF, i.e. tmsh save sys config file and it created two files for me on /var/local/scf. One contains the configuration files and the other the certficates. I guess you can SCP the contents of the tar file into /var/tmp of the new BIGIP system and run the script above by Kevin K to properly install the SSL cert and keys. It would be nice if F5 can actually do these as part of Enterprise Manager or just as an option under System on a regular appliance.
NimbostratusHi Guys, When I import the UCS the, the import failed due to hardware differences (from 6900 to 7250v). I have manually copied the ssl certs and keys however the naming is different. It shows as name.key_15147_1.key and name.crt_15089_1.crt. Why is it showing numbers instead of just .crt or .key? When I load it, it displays as separate key and certs in the GUI under SSL certs (RSA key separate and cert separate in two lines) It should be combined. Is there anyway I can import/load the ssl certs and keys without any issues. Any help is appreciated.
Thanks,
NimbostratusOn my v11.2 box, I saved the config using SCF, i.e. tmsh save sys config file and it created two files for me on /var/local/scf. One contains the configuration files and the other the certficates. I guess you can SCP the contents of the tar file into /var/tmp of the new BIGIP system and run the script above by Kevin K to properly install the SSL cert and keys. It would be nice if F5 can actually do these as part of Enterprise Manager or just as an option under System on a regular appliance.
NimbostratusHi Guys, When I import the UCS the, the import failed due to hardware differences (from 6900 to 7250v). I have manually copied the ssl certs and keys however the naming is different. It shows as name.key_15147_1.key and name.crt_15089_1.crt. Why is it showing numbers instead of just .crt or .key? When I load it, it displays as separate key and certs in the GUI under SSL certs (RSA key separate and cert separate in two lines) It should be combined. Is there anyway I can import/load the ssl certs and keys without any issues. Any help is appreciated.
Thanks,
NacreousThis following is performed in the GUI.
NimbostratusWOW! What a suggestion! I got it all right now, uploaded all ssl cert/keys and am able to load the bigip.conf file successfully. Thanks a ton, Kevin.
I have another issue in loading the bigip_base file. It is throwing an error /bigip_base.conf at line: 20) "cert" unexpected argument. I have checked the line 20, here is the config:
I have these certs in the filestore location...
cm cert /Common/dtca-bundle.crt { --------------line 20 cache-path /config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_46481_10 checksum SHA1:2144:9ebcfad57e992ba99d3bab7dd267fa70cec69d01 revision 10 }
How can I fix this? Any idea?
Thanks!