sys crypto ca-bundle-managerΒΆ

sys crypto ca-bundle-manager(1) 			BIG-IP TMSH Manual			   sys crypto ca-bundle-manager(1)

NAME
       ca-bundle-manager - Certificate Authority (CA) certificate bundle manager on the BIG-IP(r) system.

MODULE
       sys crypto

SYNTAX
       A ca-bundle-manager manages cryptographic ca-bundles using the syntax given in the following sections.

   CREATE/MODIFY
	 create ca-bundle-manager [name]
	 modify ca-bundle-manager [name]
	   options:
	     description [string]
	     exclude_bundle
	       [add | delete | replace-all-with] ] {
		  [cert file obj] ...
	     }
	     exclude_url
	       [add | delete | replace-all-with] ] {
		  [url] ...
	     }
	     include_bundle
	       [add | delete | replace-all-with] ] {
		  [cert file obj] ...
	     }
	     include_url
	       [add | delete | replace-all-with] ] {
		  [url] ...
	     }
	     proxy-server [ [hostname] | [ipv4] | [ipv6] ]
	     proxy-port [ port number ]
	     trusted-ca-bundle [certificate file object]
	     update-interval [days]
	     time-out [seconds]
	     update-now [yes | no]

   LIST
	 list ca-bundle-manager [name]
	   options:
	     -hidden

   DELETE
	 delete ca-bundle-manager [name]

DESCRIPTION
       You can use the ca-bundle-manager component to automatically update and install CA-bundles on the system from two sources -
       local certificate file objects and remote URL resources, using set include/exclude operations. The set include/exclude
       operations are equivalent to mathematical set addition/subtraction operations. For example, the user may use include-bundle
       and include-url options to combine CA-certificates from various sources, and use exclude-bundle and exclude-url options to
       remove certain CA-certificates from the final CA-bundle file. The generated CA-bundle file will be installed as a
       certificate-file-object on the system, and used as trusted CA-bundle by other modules. Additionally, the user may set the
       update frequency of the CA-bundle, or use web proxy for downloading the remote URL resources. By default, a newly created
       CA-bundle manager does not create or update the managed CA-bundle object unless it has a positive update interval or being
       explicitly told to do so by the update-now option. Additionally, the calculated CA-bundle must contain at least two CA
       certificates to be installed on the system.

EXAMPLES
       modify sys crypto ca-bundle-manager bmgr include-bundle add { ca-bundle.crt } include-url add {
       https://ca.f5net.com/ca-bundle.crt } trusted-ca-bundle trusted-ca-chain.crt update-interval 30

       Creates a ca-bundle-manager bmgr from two sources, one is a locally installed certificate file object ca-bundle.crt, and
       the other is from remote URL resource https://ca.f5net.com/ca-bundle.crt using trusted CA bundle .
       bmgr is refreshed from the two sources every 30 days.

       modify sys crypto ca-bundle-manager bmgr update-now yes

       Extending from above example, this command triggers an immediate update of the generated ca-bundle from its sources.

       list sys crypto ca-bundle-manager bmgr -hidden

       Shows all the properties of the ca-bundle-manager bmgr, including the hidden fields.

       delete sys crypto ca-bundle-manager bmgr

       Deletes the ca-bundle-manager bmgr from the system. Note that the generated ca-bundle certificate file object is not
       removed, and can still be used.

OPTIONS
       description
	    Specifies user defined description.

       include-bundle
	    Specifies a list of certificate file objects to include for generating the new ca-bundle.

       include-url
	    Specifies a list of remote ca-bundles at the URLs to include for generating the new ca-bundle.

       exclude-bundle
	    Specifies a list of certificate file objects to exclude from the new ca-bundle.

       exclude-url
	    Specifies a list of remote ca-bundles at the URLs to exclude from the new ca-bundle.

       partition Displays the administrative partition within which this ca-bundle-manager resides.
       proxy-server Specifies the host name or IP address of the proxy server for accessing remote URL resources. Only HTTP proxy
       is supported. Optional http:// may be prepended.
       proxy-port Specifies the port number of the proxy server for accessing remote URL resources. Default is 3128.
       trusted-ca-bundle
	    Specifies the trusted CA certificate bundle when downloading ca-bundles from the other URLs.

       update-interval
	    Specifies the update interval in days to refresh the remote ca-bundles at the URLs. Default value is 0, which means
	    the generated ca-bundle is not dynamically updated.

       time-out
	    Specifies the time-out period in seconds to download the remote ca-bundles at the URLs. The value ranges between 1 and
	    3600 (1 hour). The default value is 8 seconds.

       update-now
	    Specifies whether the ca-bundle-manager should immediately refresh its generated ca-bundle from all its sources and
	    recalculate its certificate contents. The default value is no.

       updated-by
	    Specifies a read-only attribute from which this ca-bundle-manager was last updated.

       managed-bundle
	    Specifies a read-only attribute, which indicates the ca-bundle certificate file object name, managed by this ca-
	    bundle-manager.

SEE ALSO
       create, list, modify, delete, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
       photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
       use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2009-2013, 2016. All rights reserved.

BIG-IP							    2017-09-05				   sys crypto ca-bundle-manager(1)