Forum Discussion

Mandragor's avatar
Mandragor
Icon for Altostratus rankAltostratus
Oct 25, 2019

Trouble creating key/CSR through iControl as user with Certificate Manager role

We have to create a key and CSR separately, instead of using the gen-scr option when creating the key. This works fine when run as an administrator, but when using the same REST-calls as a user with Certificate Manager role we get different errors depending on version used.

 

On version 13.1.1.5 the key-creation fails with a 400-error - "Key management library returned bad status: -4, Invalid Parameter"

On version 14.1.2.1 key-creation works fine, but CSR-creation fails with a different 400-error - "Key management library returned bad status: -7, error:0906D06C:PEM routines:PEM_read_bio:no start line"

 

We're using the f5-icontrol-rest-python library directly, since the f5-python-sdk doesn't seem to have any methods for generation CSRs as far as we can see.

 

Code:

icr_session = iControlRESTSession(bigip_username, bigip_password, token=True)
icr_session.post('https://'+bigip_host+'/mgmt/tm/sys/crypto/key/',\
        json={'name':cn+'.key',
        'commonName':cn,
        'partition':partition,
        })
icr_session.post('https://'+bigip_host+'/mgmt/tm/sys/crypto/csr',\
        json={'name':cn+'.csr',
        'commonName':cn,
        'partition':partition,
        'key':cn+'.key',
        })

3 Replies

  • In my environment, a user with Certificate Manager role does not have any issue creating a key, so I would say the issue is not related to user's permission.

    Perhaps the error is due to contradicting locations of the key. The line number #3 says that the key is located under /Common (because you did not add the path) but the partition in Line #5 is pointing to somewhere else. You do not need to specify "partition":partition in a key generation request (the tmsh equivalent command does not have that option). Just use the name: /Partition/keyname.key. For example,

    curl -sku admin:<pass> https://<host>/mgmt/tm/sys/crypto/key \
      -X POST -H "Content-type: application/json" \
      -d '{"name":"/TestFolder/sat.key"}'

    for generating the key 'sat.key' under /TestFolder.

    Also, commonName (Line #4) is not necessary for key generation (and to my knowledge, the field key is spelled 'common-name').

    Line #8 also is pointing to the key in /Common. You need to add its path if it is located elsewhere: e.g., /TestFolder/sat.key. For example,

    curl -sku admin:<pass> https://<host>/mgmt/tm/sys/crypto/csr \
      -X POST -H "Content-type: application/json" \
      -d '{"name":"/TestFolder/sat.csr", \
            "common-name":"Foo Bar", \
            "organization":"Shocker", \
           "city":"Mitaka",\
           "state":"Tokyo", \
           "country":"JP", \
           "ou":"Development", \
           "key":"/TestFolder/sat.key" \
       }'
  • Thank you for taking the time to respond.

     

    I'm not sure your assumption on the key-creation is correct, though, I can see in the web-UI that the key has been created in the correct partition when just specifying partition as a parameter and not when including it in the name - but I did try your way as well. If I leave out the partition-parameter it gives an error, so it is not enough to just specify partition in the name when using the f5-icontrol-rest-python method.

     

    When it comes to the CSR-part of the issue I believe you were spot-on in recommending we specify the partition, now we get a new error-message including the text "Unable to extract key information from" and it seems we are affected by the bug https://cdn.f5.com/product/bugtracker/ID748940.html which require us to use tmsh unless we upgrade to 15.0

     

  • Have you tried the curl call I mentioned? If the curl command had failed, will you share your command and the error message?

     

    If you have specified a key name with path (e.g., /TestFolder/sat.key) without providing the "partition" property and the call using f5-icontrol-rest-python failed, the module might have done something else internally. If the curl call worked but f5-icontrol-rest-python did not, then that's an f5-icontrol-rest-python issue rather than iControl REST issue. The github issues is probably a better place to discuss it.

     

    Generally speaking, when you encounter iControl REST issues using external utilities (python, PowerShell, etc), it is recommended to run equivalent curl calls to check if the problems come from iControl REST itself or the utilities.

     

    Regarding CSR generation, you are right. You cannot create a CSR on a non-Common partition using the key on the non-Common partition (I should have double checked before posting the curl call example) and it is addressed in ID748940.

     

    (LF inserted for readbility sake)
    curl -sku $PASS https://$HOST/mgmt/tm/sys/crypto/csr -X POST 
      -H "Content-type: application/json"
      -d '{"name":"/TestFolder/sat.csr", 
           "common-name":"Foo Bar",
           "organization":"Santama",
           "city":"Fuchu",
           "state":"Tokyo",
           "country":"JP",
          "ou":"Finance",
         "key":"/TestFolder/sat.key"}'
    {
        "apiError": 26214401,
        "code": 400,
        "errorStack": [],
        "message": "Unable to extract key information from \"/config/filestore/files_d/TestFolder_d/certificate_key_d/:TestFolder:sat.key_164860_1\"to \"/var/system/tmp/tmsh/87WeWu/ssl.key//TestFolder/sat.key\""
    }