Forum Discussion

rashid_rashidov's avatar
rashid_rashidov
Icon for Nimbostratus rankNimbostratus
Jan 15, 2020

How to edit certificate ca bundle via iControl REST API

Hi,

 

I have ssl certificates that have ca bundles. These ca bundles include multiple certificates. The usecase is that some of those certificaes expire and need to be deleted at some point in time.

 

Previously I was using the iControl SOAP method to do that:

https://clouddocs.f5.com/api/icontrol-soap/Management__KeyCertificate__certificate_delete_from_bundle.html

 

Unfortunately, this is no longer supported in the new version of BigIP. This is why we need to move to use iControl REST in order to acomplish the same goal. However, I was not able to find how to perform the same operation using iControl REST.

 

What I was looking at was the following iControl REST API:

https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_sys_file_ssl-cert.html

 

In this API there is a subcollection "bundle-certificates".

 

However, as far as I can see in the documentation, this subcollection is read-only. It can not be modified using iControl REST.  

Does anyone has an idea how to remove a certificate from the ca bundle of a given certificate using iControl REST API?

 

Regards,

Rashid

  • Hi rashid,

    i managed to make things work by using the following REST API entry:

    do a GET on the following:

    https://{{BIGIP}}/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle

    where of course you replace the {BIGIP} with your BBIG-IP IP address and add the relevant AUTH headers and so on (but you know that, based on what you sent in your question).

    this assumes that you have created your own ca-bundle (not the default one i mean).

    it should provide a list like this one :

    {
        "kind": "tm:sys:crypto:ca-bundle-manager:ca-bundle-managerstate",
        "name": "MyCABundle",
        "partition": "Common",
        "fullPath": "/Common/MyCABundle",
        "generation": 43,
        "selfLink": "https://localhost/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle?ver=14.1.0.3",
        "proxyPort": 3128,
        "timeOut": 8,
        "trustedCaBundle": "/Common/ca-bundle.crt",
        "trustedCaBundleReference": {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt?ver=14.1.0.3"
        },
        "updateInterval": 0,
        "includeBundle": [
            "/Common/default.crt",
            "/Common/f5-ca-bundle.crt",
            "/Common/f5-irule.crt"
        ],
        "includeBundleReference": [
            {
                "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=14.1.0.3"
            },
            {
                "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~f5-ca-bundle.crt?ver=14.1.0.3"
            },
            {
                "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~f5-irule.crt?ver=14.1.0.3"
            }
        ]
    }

    and then you take what is needed to be removed (for example here, i will remove f5-irule.crt from this list)

    and craft a PATCH REST call to your BIG-IP:

    PATCH https://{{BIGIP}}/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle
     
    {
    "includeBundle": [
            "/Common/default.crt",
            "/Common/f5-ca-bundle.crt"
        ]
     }

    Result should look like this:

    {
        "kind": "tm:sys:crypto:ca-bundle-manager:ca-bundle-managerstate",
        "name": "MyCABundle",
        "partition": "Common",
        "fullPath": "/Common/MyCABundle",
        "generation": 44,
        "selfLink": "https://localhost/mgmt/tm/sys/crypto/ca-bundle-manager/~Common~MyCABundle?ver=14.1.0.3",
        "proxyPort": 3128,
        "timeOut": 8,
        "trustedCaBundle": "/Common/ca-bundle.crt",
        "trustedCaBundleReference": {
            "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~ca-bundle.crt?ver=14.1.0.3"
        },
        "updateInterval": 0,
        "includeBundle": [
            "/Common/default.crt",
            "/Common/f5-ca-bundle.crt"
        ],
        "includeBundleReference": [
            {
                "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~default.crt?ver=14.1.0.3"
            },
            {
                "link": "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~f5-ca-bundle.crt?ver=14.1.0.3"
            }
        ]
    }

    HTH

  • Hi, Philippe

     

    Thanks for your answer.

     

    Unfortunately, it does not work for us for the following reasons:

     

    We do not have ca bundle manager entities for each certificate that we have in the BigIP device. Nevertheless, let's say that we go on and create a ca bundle manager for each certificate that we have in the BigIP device. Once we have ca bundle manager for a certificate that we want to manage, let's say we could manage the content of the certificate and its ca authorities bundle.

     

    However, we are not sure how to continue from this moment on. We have the certificate in the BigIP device so that we could assign them to SSL profiles (the profiles are then assigned to virtual servers). This is where we do not know how to use the ca bundle manager to assign a certificate to an SSL profile.

     

    I hope I was able to explain our usecase clear enough. Let me know if there is something missing in the description of our scenario.

     

    Regards,

    Rashid