SSL and Cert keystore in V11

It's still in the same place: "/config/ssl/..."

all the directories in config/ssl/* only have the default certs. I am running 11.2.0. Plenty of certs on this box too, I can get them through the gui but is a lot easier to grab the keys from cli if I can get to them...

The default LTM certs are still stored in /config/ssl/. The custom certs/keys are stored in the filestore:

 

 

find / -name *.crt* -o -name *.key*

 

/var/ts/dms/common/classes/tcpdf/tcpdf.crt

 

/var/dnscached/config/rndc.key

 

/var/named/config/rndc.key

 

/var/lib/mysql/server.crt

 

find: /proc/32292/net: Invalid argument

 

/config/rndc.key

 

/config/httpd/conf/ssl.crt

 

/config/httpd/conf/ssl.crt/server.crt

 

/config/filestore/.trash_bin_d/.backup_1349198708_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_14

 

/config/filestore/.trash_bin_d/.backup_1349993934_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_15

 

/config/filestore/.trash_bin_d/.backup_1339609266_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_10

 

/config/filestore/.trash_bin_d/.backup_1345881646_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_12

 

/config/filestore/.trash_bin_d/.backup_1352844539_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_20

 

/config/filestore/.trash_bin_d/.backup_1350241745_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_18

 

/config/filestore/.trash_bin_d/.backup_1350075788_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_17

 

/config/filestore/.trash_bin_d/.backup_1352717087_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_19

 

/config/filestore/.trash_bin_d/.backup_1344326451_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_11

 

/config/filestore/.trash_bin_d/.backup_1350073068_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_16

 

/config/filestore/.trash_bin_d/.backup_1349193032_0_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_13

 

/config/filestore/files_d/Common_d/certificate_d/:Common:default.crt_1

 

/config/filestore/files_d/Common_d/certificate_d/:Common:root.example.com.crt_1

 

/config/filestore/files_d/Common_d/certificate_d/:Common:server.example.com.crt_1

 

/config/filestore/files_d/Common_d/certificate_d/:Common:ca-bundle.crt_1

 

/config/filestore/files_d/Common_d/certificate_d/:Common:star.example.com.crt_1

 

/config/filestore/files_d/Common_d/certificate_d/:Common:f5-irule.crt_1

 

/config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtdi.crt_4

 

/config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca-bundle.crt_21

 

/config/filestore/files_d/Common_d/trust_certificate_d/:Common:dtca.crt_3

 

/config/gtm/server.crt

 

/config/big3d/client.crt

 

/config/ssl/ssl.crt

 

/config/ssl/ssl.crt/dtca-bundle.crt

 

/config/ssl/ssl.crt/f5-irule.crt

 

/config/ssl/ssl.crt/default.crt

 

/config/ssl/ssl.crt/ca-bundle.crt.preremoval

 

/config/ssl/ssl.crt/ca-bundle.crt

 

/usr/share/defaults/fs/config/ssl/ssl.crt

 

/usr/share/defaults/fs/config/ssl/ssl.crt/ca-bundle.crt.rpmbackup

 

/etc/pki/tls/certs/ca-bundle.crt

 

/shared/em/ssl.crt

 

/shared/em/ssl.crt/10.0.0.10.crt

 

 

You can import/export these and other files via the GUI or using 'tmsh sys file'

 

 

Aaron

Hi Aaron,

 

 

Do you know if there is any particular logic to the new naming convention used?

 

 

For example, why are the directories appended with "_d"?

 

Why are they using colons ":" in the file names which means that I need to escape them when scp-ing, mv, openssl etc.

 

If the files are in "Common_d" why rename the files at all to contain ":Common:"?

 

 

Also in the bigip.conf and when creating an scf there is a sys file entry which now contain the following:

 

 

sys file ssl-cert /Common/my.domain.local.crt {

 

cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:my.domain.local.crt_1

 

revision 1

 

}

 

 

sys file ssl-key /Common/my.domain.local.key {

 

cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:my.domain.local.key_1

 

revision 1

 

source-path /config/ssl/ssl.key/my.domain.local.key

 

}

 

 

the cache-path seems to imply that this is the location for a copy of the file, but that doesn't seem to be the case. It's poorly documented in the tmsh ref guide.

 

 

the source-path points to a file that does not exist at all.

 

 

Any input appreciated.

Hey Wire,

 

 

I found the new naming conventions to be a bit odd too. It's a nuisance to have to escape the colon delimiters :)

 

 

I think the source-path is just left over from when the file was imported. The source file doesn't need to still exist as the file is now managed by TMM.

 

 

Aaron