Trying to Set Certificate and Key for ClientSSLProfile Using Powershell

Question

Hello,
I am trying to create a profile with an existing certificate and key on version 11.4.1. I have found a number of examples similar to this that correctly create the profile ...
$ProfileName = "TestProfile"

$Cert = New-Object -TypeName iControl.LocalLBProfileString;
$Cert.value = "default";
$Cert.default_flag = "true";

$Key = New-Object -TypeName iControl.LocalLBProfileString;
$Key.value = "default";
$Key.default_flag = "true";

(Get-F5.iControl).LocalLBProfileClientSSL.create( $ProfileName, (, $Key), (, $Cert) );

... but they only ever seem to set the certificate and key to "default". It doesn't matter what value I put in the ProfileString 'value' parameter. I have tried the file name provided by Management::KeyCertificate::CertificateInformation_v2 and the object name, and nothing seems to work. 
I have also tried using LocalLBProfileClientSSL.set_key_certificate_file as I saw an article that said there was a but in the create method, but that performs exactly the same way and does not set the certificate or key.
Could someone please point me in the right direction? I'm sure I'm missing something simple, but I'm just not seeing it.
Thanks!,
  Sean

michael_jenkins · Answer

I tried to recreate the same issue you're having, and was able to get this to work
$ProfileName = "ProfileName";

$Cert = New-Object -TypeName iControl.LocalLBProfileString;
$Cert.value = "/Common/CERT_NAME.crt";

$Key = New-Object -TypeName iControl.LocalLBProfileString;
$Key.value = "/Common/KEY_NAME.key";

$b.LocalLBProfileClientSSL.create_v2( $ProfileName, (, $Key), (, $Cert) );

Things I changed were taking out the default-flag denotation, because that will mark that part to be be the default instead of the value you're trying to set it as. 
The other thing is using the full name of the cert and key, complete with the file extension. 
And I changed it to create_v2. I'm not really sure of the differences but I always use the v2 methods.
Hope this helps.

sean_powell_821 · Answer

Thanks Michael. &nbsp;
I originally tried _v2, as I usually use those too, and it failed. I found in the wiki it is for version 11.5 and later, I'm using 11.4.1.&nbsp;
I had tried removing the default flag in my testing, and not setting the flag produces errors. Setting the flag to false does't seem to change the behavior either, it's still set as default. &nbsp;
What I ended up doing was creating an SSLProfile with the default cert/key and then immediately changing it with the set_key_certificate_file function. Omitting the default_flag for the set_key_certificate_file function does work as expected. &nbsp;
Thank you very much for your help.&nbsp;
Sean&nbsp;

michael_jenkins · Answer

Weird. I'm using 11.5 so that would explain why mine works. Sorry.

sean_powell_821 · Answer

Well, you confirmed what the values should be set so that helped a lot, thank you. I have a working solution, so it's all good :)

ansh_jain_36819 · Answer

Hi Michael,
Thanks for the script. It is  creating a profile with an existing certificate and key successfully on F5. But I have a doubt, how this script is connecting to F5 LTM link without specifying the link and credentials in it?
Could you please share your knowledge on this ?&nbsp;

Forum Discussion

Trying to Set Certificate and Key for ClientSSLProfile Using Powershell

7 Replies

Recent Discussions

MAC address not showing up in LLDP packet

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Related Content

F5 Automation with PowerShell - Part 1

F5 Automation with PowerShell - Part 2

Microsoft Powershell with iControl

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP