Forum Discussion

t-roy's avatar
Icon for Nimbostratus rankNimbostratus
Nov 14, 2012

SSL and Cert keystore in V11

Where did they move this to in V11? In v10 it was in /config/ssl.key and ssl.crt


  • t-roy's avatar
    Icon for Nimbostratus rankNimbostratus
    all the directories in config/ssl/* only have the default certs. I am running 11.2.0. Plenty of certs on this box too, I can get them through the gui but is a lot easier to grab the keys from cli if I can get to them...
  • The default LTM certs are still stored in /config/ssl/. The custom certs/keys are stored in the filestore:



    find / -name *.crt* -o -name *.key*










    find: /proc/32292/net: Invalid argument











































































    You can import/export these and other files via the GUI or using 'tmsh sys file'



  • Hi Aaron,



    Do you know if there is any particular logic to the new naming convention used?



    For example, why are the directories appended with "_d"?


    Why are they using colons ":" in the file names which means that I need to escape them when scp-ing, mv, openssl etc.


    If the files are in "Common_d" why rename the files at all to contain ":Common:"?



    Also in the bigip.conf and when creating an scf there is a sys file entry which now contain the following:



    sys file ssl-cert /Common/my.domain.local.crt {


    cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:my.domain.local.crt_1


    revision 1





    sys file ssl-key /Common/my.domain.local.key {


    cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:my.domain.local.key_1


    revision 1


    source-path /config/ssl/ssl.key/my.domain.local.key





    the cache-path seems to imply that this is the location for a copy of the file, but that doesn't seem to be the case. It's poorly documented in the tmsh ref guide.



    the source-path points to a file that does not exist at all.



    Any input appreciated.
  • Hey Wire,



    I found the new naming conventions to be a bit odd too. It's a nuisance to have to escape the colon delimiters :)



    I think the source-path is just left over from when the file was imported. The source file doesn't need to still exist as the file is now managed by TMM.



  • Is there an API to fetch certificates from store like /config/filestore/files_d/Common_d/certificate_d?