sys crypto key¶

sys crypto key(1) BIG-IP TMSH Manual sys crypto key(1)

NAME
key - Manage cryptographic keys and related objects on the BIG-IP(r) system.

MODULE
sys crypto

SYNTAX
Manage cryptographic keys and related objects of the sys crypto module using the syntax in the following section.

CREATE
create key [name]
options:
challenge-password [string]
admin-email-address [string]
city [string]
common-name [string]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
country [string]
curve-name [prime256v1 | secp384r1 | secp521r1]
email-address [string]
key-size [512 | 1024 | 2048 | 4096]
key-type [dsa-private | ec-private | rsa-private]
lifetime [days]
organization [string]
ou [string]
passphrase [passphrase]
prompt-for-password
security-type [fips | normal | password | nethsm]
state [string]
subject-alternative-name [string]
cert-order-manager [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
check-status [yes | no]
order-id [string | none]
order-passphrase [string | none]
order-type [cancel | new | renew | revoke]
revoke-reason [AACompromise | affiliationChanged | cessationOfOperation | removeFromCRL | unspecified | CACompromise | certificateHold |keyCompromise | privilegeWithdrawn | superseded]
}
}

MODIFY
modify key [name]
options
cert-order-manager [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
check-status [yes | no]
order-id [string | none]
order-passphrase [string | none]
order-type [cancel | new | renew | revoke]
revoke-reason [AACompromise | affiliationChanged | cessationOfOperation | removeFromCRL | unspecified | CACompromise | certificateHold |keyCompromise | privilegeWithdrawn | superseded]
}
}

SHOW
show key
show key [name | none] cert-order-manager

LIST
list key
list key [name]

INSTALL
install key [name]
options:
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
from-editor
from-local-file [filename]
from-url [URL]
from-nethsm
no-overwrite

DELETE
delete key [name]

DESCRIPTION
You can use the key component to create, show, list, install, and delete cryptographic keys and associated cryptographic
objects. The file-objects created by these operations can be used in other BigIP configuration blocks such as ssl profiles.

EXAMPLES
create key mykey

Generates a 2048-bit (default-sized) RSA key file object named "mykey.key". The appropriate extension will be added to the
generated key/cert if not already a part of the provided name.

create key mykey key-type ec-private curve-name prime256v1

Generates a prime256v1 curve name EC private key file object named "mykey.key". The appropriate extension will be added to
the generated key/cert if it is not already a part of the provided name.

create key /myfolder/mykey

Similar to the above action except it creates the key "mykey.key" in the folder "/myfolder" instead of the default
"/Common". The specified folder "/myfolder" must already exist in order for this operation to succeed.

create key example gen-cert gen-csr common-name "My Company Inc." country "US"

Generates a 2048-bit (default-sized) RSA key file object named "example.key" and a self signed certificate named
"example.crt". Also, a certificate signing request will be printed to the console for use in obtaining a signed certificate
from a certificate authority, if desired.

create key my gen-cert gen-csr prompt-for-password common-name "My Company Inc." country "US"

Similar to the above action when creating key "my.key" except it also prompts for a password to be used as a challenge
password in the certificate authority signing procedure.

create key server2 gen-cert gen-csr common-name "My Company Inc." country "US" consumer webserver

Generates a key and self signed certificate identified by server2. The consumer attribute, "webserver", is used to cause
these files to be placed directly in the paths which can be found by the BigIP's httpd.

create key server gen-csr common-name "My Company Inc." country "US" cert-order-manager add { certmgr { order-type new } }

Generates a key and CSR identified by server. Associates cert-order-manager object "certmgr" with the key and makes a "new"
certificate order to the CA.

show key

Shows the number of keys installed in the system.

show key cert-order-manager

Shows certificate order statistics if a cert-order-manager object is associated with key.

list key example.key

Lists all details of the key named "example.key". A key with the specified name "example.key" in this case must already be
installed on the system in order for this operation to succeed.

list key

Lists all details of all keys installed in the system.

install key example from-editor

Opens an interactive editor session into which it a key for import into the BigIP system can be pasted. A key file-object
will be created with the name example which contains the contents saved from the editor session.

install key example from-local-file /tmp/example.key

Obtains a key from the file located at /tmp/example.key.

install key example from-url http://example.com/my.key

Obtains a key from a remote host that is based on the URI specified.

delete key example.key

Deletes the key "example.key" from the system.

OPTIONS
challenge-password
Specifies the challenge password to create the certificate request key.

admin-email-address
Specifies the administrator email-address to be used in creation of the certificate request associated with the given
key.

city Specifies the x509 city field to be used in creation of the certificate associated with the given key.

common-name
Specifies the x509 common-name to be used in creation of the certificate associated with the given key.

consumer
Specifies the system component by which a key and/or associated cryptographic file will be consumed. The default
behavior is to create file-objects for use by ltm components. This is the same as specifying "ltm" for this property.
If a component other than "ltm" is specified then files will be installed/created into locations where the specified
components can find them. For example, for component "webserver", keys and certs will be placed in the webservers ssl
directories.

country
Specifies the x509 country to be used in creation of the certificate associated with the given key. The country must
be a 2 letter country code.

curve-name
Specifies the curve name to be used in creation of the elliptic curve (EC) key. This option only applies when
generating EC keys. The default value is prime256v1.

email-address
Specifies the x509 email-address to be used in creation of the certificate associated with the given key.

from-editor
Specifies that the key should be obtained from a text editor session. This allows keys to be imported via cut-n-paste
from another location as long as they are in a text representation.

from-local-file
Specifies a local file path from which a key is to be copied.

from-url
Specifies a URI which is to be used to obtain a key for import into the configuration of the system.

The URL syntax is protocol dependent. Supported schemes are "HTTP", "HTTPS", "FTP", "FTPS" & "FILE."

from-nethsm
Specifies an option to import an existing key from network-HSM to BIG-IP config. The key label is specified as the key
name to identify the key to be imported from network-HSM.

no-overwrite
Specifies the option for not overwriting a key if it is in the scope.

gen-certificate
Specifies that in addition to generating a key, a self-signed certificate will also be created. If this option is
specified then x509 attributes should also be specified. Minimally, you must also specify a common-name.

gen-csr
Specifies that a certificate signing request should be generated along with the key. The CSR will be displayed to the
terminal for the purposes of use in getting a certificate signed by an outside authority. X509 attributes must also be
specified.

key-size
Specifies the size, in bits, of the key to be generated. This option does not apply when generating EC keys.

key-type
Specifies the type of cryptographic key to be generated. Default is rsa-private.

lifetime
Specifies the certificate life time to be used in creation of the certificate associated with the given key.

organization
Specifies the x509 organization to be used in creation of the certificate associated with the given key.

ou Specifies the x509 organizational unit to be used in creation of the certificate associated with the given key.

prompt-for-password
Specifies that a password should be prompted for and then used as a challenge password in generation of the CSR
(Certificate Signing Request).

security-type
Specifies the level of security used in storing the key in question. For example, a security-type of FIPS means that
the key should be stored on a FIPS card if one is available.

state
Specifies the x509 state or province of the certificate associated with the given key.

passphrase
Specifies an optional passphrase with which the key has been protected. It may be used by consumers of the key in the
data-plane or control-plane to decrypt it.

subject-alternative-name
Specifies standard X.509 extensions as shown in RFC 2459. Allowed values e.g. DNS:example.com, IP:192.168.1.1,
IP:12:34, email:user@example.com, URI:http://www.example.com

cert-order-manager
Specifies an optional cert-order-manager to be associated with the key.

check-status
Specifies that it checks the status of a certificate order. This command triggers an immediate status check query with
CA for a current pending certificate order.

order-id
Specifies the order id for a certificate order. This order id is provided by the CA and the bigip stores it in the
order-id field. Order id is required for certificate renewal and revoke. If the first certificate was not orginally
ordered from the bigip, the user needs to enter the order-id manually before making a certificate renewal or revoke.

order-passphrase
Specifies the order challenge passphrase. This is a CA specific requirement. Some CA's require a challenge passphrase
for making a certificate order.

order-type
Specifies the type of certificate order to authority.

new : Make a new certificate order to the CA.

renew : Make a certificate renewal order to the CA.

revoke : Make a certificate revoke order to the CA.

cancel : Tries to cancel the previous certificate order.

revoke-reason
Specifies the reason for certificate revoke.

SEE ALSO
create, install, show, list, delete, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.

BIG-IP 2018-07-18 sys crypto key(1)