OpenSSL command line on F5 LTM CSR/key generation

Is all of your organizational information the same across certificates, just the subject changing? When we went through a cert refresh exercise, I recall pre-generating openssl 'config' files that housed all of the certificate details (as we also had some that needed SAN extensions). Once we had a directory full of the config files, batch generation was done by listing the directory and piping through the bash command 'xargs' that popped the config file name into an openssl command to generate key and CSR based on the config. (The config files were generated with some Python that pulled necessary information from the existing certs.)

Sorry if this doesn't help but wanted to pass along the idea of config files and 'xargs'. As the solution was 'mediocre but expedient' I didn't commit it to memory assuming we'd do something more elegant next round. ;)

I think I found the working command..

openssl req -new –key ./bulk.key/$domain_rebrand.key –out ./bulk.key/$domain_rebrand.csr -subj "/C=US/ST=xxxxxx/L=xxxxx/O=xxxxxx/OU=xxxx/CN=$domain”

planning on using (which I found as a F5 article) to import the key into the LTM

tmsh install /sys crypto key ./bulk.key/$domain_rebrand.key from-local-file /config/ssl/ssl.key/$domain_rebrand.key

ok, this new verions if LTM has to be bugged...

Document says use this: •11.5.0 and later: The following command generates a new CSR in the /config/ssl/ssl.csr/ directory named f5test.com_2015.csr, using the SSL private key named f5test.com_2015.key using a SHA2 digest:

openssl req -new -key /config/ssl/ssl.key/f5test.com_2015.key -out /config/ssl/ssl.csr/f5test.com_2015.csr -sha256

"Get unknown option -key" error message....

Thought I'd share since I don't see any good examples. This is working for me.

The command looked like it was creating a key at the same time it was generating the CSR, my issue was the key needed to be created first. I thought I had done that first, but coming back to it again started working.

We are rebranding our 100's of websites and we have a different group managing a WAF device, so need to send them the keys also hence the email of both the key and CSR. I'm planning on further automating renewals to generate a new key each time and then email us the csr/key for processing with our CA provider and WAF team. Hope this helps someone!

DATE=`date +%m%d%y-%H.%M.%S`

mkdir ./bulk.csr
mkdir ./bulk.key

while read domain; do
echo $domain

Generate a key and CSR:
openssl genrsa -out ./bulk.key/$domain.rebrand.key 2048

openssl req -new -key ./bulk.key/$domain.rebrand.key -out ./bulk.csr/$domain.rebrand.csr -subj "/C=US/ST=xxx/L=xxx/O=xxx, Inc./OU=IT/CN=$domain/emailAddress=xxxx@xxx.com"
openssl req -noout -text -in ./bulk.csr/$domain.rebrand.csr > ./domain.rebrand.log

Sending email with attached CSR:
mail -s "Attached is the CSR generated for $domain on $HOSTNAME" xxxx@xxx.com < ./bulk.csr/$domain.rebrand.csr
mail -s "Attached is the KEY generated for $domain on $HOSTNAME" xxxx@xxx.com < ./bulk.key/$domain.rebrand.key

done < ./domain.rebrand.txt
read csr command: openssl req -noout -text -in ./bulk.csr/$domain.rebrand.csr

also might come in handy:

tmsh install /sys crypto key ./bulk.key/$domain_rebrand.key from-local-file /config/ssl/ssl.key/$domain_rebrand.key