sys crypto cert
sys crypto cert(1) BIG-IP TMSH Manual sys crypto cert(1)
NAME
cert - Manage cryptographic certificates on the BIG-IP(r) system.
MODULE
sys crypto
SYNTAX
Manage cryptographic certs using the syntax in the following section.
CREATE
create cert [name]
options:
city [string]
common-name [string]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
country [string]
email-address [string]
key [string]
lifetime [days]
organization [string]
ou [string]
state [string]
subject-alternative-name [string]
INSTALL
install cert [name]
options:
cert-validation-options [none | ocsp]
cert-validators [none | [cert_validator_name]]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
from-editor
from-local-file [filename]
from-url [URL]
issuer-cert [none | [issuer_cert_name]]
no-overwrite
MODIFY
modify cert [name]
options:
cert-validation-options [none | ocsp]
cert-validators [none | [cert_validator_name]]
issuer-cert [none | [issuer_cert_name]]
DELETE
delete cert [name]
DESCRIPTION
You can use the cert component to create, install, and delete cryptographic certificates, and bundles.
EXAMPLES
create cert example key testkey.key common-name "My Company Inc." country "US"
Generates a self signed certificate named "example.crt". A key with the specified name "testkey.key" in this case must be
installed on the system in order for this operation to succeed. The cert extension (".crt") will be appended to the created
cert name if it is not already provided in the name.
create cert /myfolder/example key testkey.key common-name "My Company Inc." country "US"
Similar to above, but creates the cert "example.crt" in the folder "/myfolder" instead of the default "/Common". The
specified folder "/myfolder" must already exist in order for this operation to succeed.
create cert server2 key server2.key common-name "My Company Inc." country "US" consumer webserver
Generates a self-signed certificate named server2.crt. The consumer attribute, "webserver", is used to cause the files to
be placed directly in the path which can be found by the BIG-IP system httpd. A pre-existing key named "server2.key" must
exist in the web server's key path in order for this operation to succeed. Please note that for non LTM consumer's key and
cert names must be the same.
install cert example from-editor
Opens an interactive editor session into which can be pasted a certificate for import into the BIG-IP system. A certificate
file-object will be created with the name example which contains the contents saved from the editor session.
install cert example from-local-file /tmp/example.crt
Obtains a certificate from the file located at /tmp/example.crt.
install cert example from-url http://example.com/example.crt
Obtains a certificate from a remote host, based on the URI specified.
modify sys crypto cert leaf.crt issuer-cert issuer.crt cert-validators add { my_ocsp1 } cert-validation-options { ocsp }
Assigns issuer certificate issuer.crt to the certificate leaf.crt, associates the OCSP certificate validator my_ocsp to the
certificate, and enables the OCSP certificate validator for this certificate.
delete cert example.crt
Deletes the certificate "example.crt" from the system.
OPTIONS
cert-validation-options
Specifies the option used for validating the certificate status.
cert-validators
Specifies the name of the cert-validators used for validating the certificate status. Each cert-validation type can
only have one cert-validator.
city Specifies the x509 city field to be used in creation of the certificate.
common-name
Specifies the x509 common-name to be used in creation of the certificate.
consumer
Specifies the system component by which a certificate will be consumed. The default behavior is to create file-objects
for use by ltm components. This is the same as specifying "ltm" for this property. If a component other than "ltm" is
specified then files will be installed/created in locations where the specified components can find them. For example,
for component "webserver", certificates will be placed in the webservers ssl directories.
country
Specifies the x509 country to be used in creation of the certificate. The country must be a 2 letter country code.
email-address
Specifies the x509 email-address to be used in creation of the certificate.
fingerprint
Displays the SHA-256 fingerprint of the certificate.
from-editor
Specifies that the certificate should be obtained from a text editor session. This allows certificates to be imported
via cut-n-paste from another location as long as they are in a text representation.
from-local-file
Specifies a local file path from which a certificate is to be copied.
from-url
Specifies a URI which is to be used to obtain a certificate for import into the system.
The URL syntax is protocol dependent. Supported schemes are "HTTP", "HTTPS", "FTP", "FTPS" & "FILE."
issuer-cert
Specifies the name of the issuer certificate for this certificate.
no-overwrite
Specifies option of not overwriting a certificate if it is in the scope.
key Specifies a key from which a certificate should be generated when using the create command.
organization
Specifies the x509 organization to be used in creation of the certificate.
ou Specifies the x509 organizational unit to be used in creation of the certificate.
state
Specifies the x509 state or province of the certificate.
subject-alternative-name
Specifies standard X.509 extensions as shown in RFC 2459. Allowed values e.g. DNS:example.com, IP:192.168.1.1,
IP:12:34, email:user@example.com, URI:http://www.example.com
SEE ALSO
create, install, modify, delete, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013. All rights reserved.
BIG-IP 2017-05-01 sys crypto cert(1)