Forum Discussion

Fallout1984's avatar
Fallout1984
Icon for Cirrocumulus rankCirrocumulus
Oct 19, 2021

Replacing vserver certificates (say for SSL offload) via CLI?

I'm looking for an alternative to using the GUI for replacing a vserver's certificate. Sure if it's just one vserver it's not much work at all to swap certs via the GUI, however I have at least two instances where I have to replace the cert on eight vservers (multiple front-end ports configured) which is tedious. Another method would be to just change the cert/key/intermediate on the cert profile in use.

 

Surely there's a more efficient way of doing this via the CLI...

 

Thanks!

  • Yes, there is a way where you can update the certificates in the SSL profiles via cli. But you need to have the new certificate uploaded on the F5. If certificate is already uploaded on the F5, you can use below command to update new certificate under selected client and/or server SSL profile. Once you have proper certificate, key & profile name selected, you can update multiple certificates & key under ssl profiles in below commands in one go.

    tmsh modify ltm profile <SSL-Profile-Type> <SSL-Profile-Name> cert <SSL-Certificate-Name> key <SSL-Key-Name>

    If you are looking for importing certificate first (not using WebUI), then you can use SCP transfer. Once certificate & key file is transferred, first you need to install those files using below given commands. Once it is installed, you can use above command to update the certificate & key files under ssl profiles.

    tmsh install sys crypto cert <SSL-certificate-name> from-local-file <path-to-certificate-file>
    tmsh install sys crypto key <SSL-key-name> from-local-file <path-to-key-file>

    Ref. article for more details -

    https://support.f5.com/csp/article/K14031

    NOTE- After installing the certificates and/or keys, you must verify cert & key if it is properly installed before applying same under profiles.

    This way you can manage these configurations via cli.

    Hope it helps!

  • Yes, there is a way where you can update the certificates in the SSL profiles via cli. But you need to have the new certificate uploaded on the F5. If certificate is already uploaded on the F5, you can use below command to update new certificate under selected client and/or server SSL profile. Once you have proper certificate, key & profile name selected, you can update multiple certificates & key under ssl profiles in below commands in one go.

    tmsh modify ltm profile <SSL-Profile-Type> <SSL-Profile-Name> cert <SSL-Certificate-Name> key <SSL-Key-Name>

    If you are looking for importing certificate first (not using WebUI), then you can use SCP transfer. Once certificate & key file is transferred, first you need to install those files using below given commands. Once it is installed, you can use above command to update the certificate & key files under ssl profiles.

    tmsh install sys crypto cert <SSL-certificate-name> from-local-file <path-to-certificate-file>
    tmsh install sys crypto key <SSL-key-name> from-local-file <path-to-key-file>

    Ref. article for more details -

    https://support.f5.com/csp/article/K14031

    NOTE- After installing the certificates and/or keys, you must verify cert & key if it is properly installed before applying same under profiles.

    This way you can manage these configurations via cli.

    Hope it helps!