sys crypto key
sys crypto key(1) BIG-IP TMSH Manual sys crypto key(1)
NAME
key - Manage cryptographic keys and related objects on the BIG-IP(r)
system.
MODULE
sys crypto
SYNTAX
Manage cryptographic keys and related objects of the sys crypto module
using the syntax in the following section.
CREATE
create key [name]
options:
challenge-password [string]
admin-email-address [string]
city [string]
common-name [string]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
country [string]
curve-name [prime256v1 | secp384r1 | secp521r1]
email-address [string]
key-size [512 | 1024 | 2048 | 4096]
key-type [dsa-private | ec-private | rsa-private]
lifetime [days]
organization [string]
ou [string]
passphrase [passphrase]
prompt-for-password
security-type [fips | normal | password | nethsm]
state [string]
subject-alternative-name [string]
SHOW
show key
LIST
list key
list key [name]
INSTALL
install key [name]
options:
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
from-editor
from-local-file [filename]
from-url [URL]
no-overwrite
DELETE
delete key [name]
DESCRIPTION
You can use the key component to create, show, list, install, and
delete cryptographic keys, and associated cryptographic objects. The
file-objects created by these operations can be used in other BigIP
configuration blocks such as ssl profiles.
EXAMPLES
create key mykey
Generates a 2048-bit (default-sized) RSA key file object named
"mykey.key". The appropriate extension will be added to the generated
key/cert if not already a part of the provided name.
create key mykey key-type ec-private curve-name prime256v1
Generates a prime256v1 curve name EC private key file object named
"mykey.key". The appropriate extension will be added to the generated
key/cert if not already a part of the provided name.
create key /myfolder/mykey
Similar to above, but creates the key "mykey.key" in folder "/myfolder"
instead of the default "/Common". The specified folder "/myfolder" must
already exist in order for this operation to succeed.
create key example gen-cert gen-csr common-name "My Company Inc."
country "US"
Generates a 2048-bit (default-sized) RSA key file object named
"example.key" and a self signed certificate named "example.crt". Also,
a certificate signing request will be printed to the console for use in
obtaining a signed certificate from a certificate authority if desired.
create key my gen-cert gen-csr prompt-for-password common-name "My
Company Inc." country "US"
Similar to above, creates key "my.key" but also prompts for a password
to be used as a challenge password in the certificate authority signing
procedure.
create key server2 gen-cert gen-csr common-name "My Company Inc."
country "US" consumer webserver
Generates a key and self signed certificate identified by server2. The
consumer attribute, "webserver", is used to cause these files to be
placed directly in the paths which can be found by the BigIP's httpd.
show key
Shows the number of keys installed in the system.
list key example.key
Lists all details of the key named "example.key". A key with the
specified name "example.key" in this case must already be installed on
the system in order for this operation to succeed.
list key
Lists all details of all keys installed in the system.
install key example from-editor
Opens an interactive editor session into which can be pasted a key for
import into the BigIP system. A key file-object will be created with
the name example which contains the contents saved from the editor
session.
install key example from-local-file /tmp/example.key
Obtains a key from the file located at /tmp/example.key.
install key example from-url http://example.com/my.key
Obtains a key from a remote host, based on the URI specified.
delete key example.key
Deletes the key "example.key" from the system.
OPTIONS
challenge-password
Specifies the challenge password to create the certificate request
key.
admin-email-address
Specifies the administrator email-address to be used in creation
of the certificate request associated with the given key.
city Specifies the x509 city field to be used in creation of the
certificate associated with the given key.
common-name
Specifies the x509 common-name to be used in creation of the
certificate associated with the given key.
consumer
Specifies the system component by which a key and/or associated
cryptographic file will be consumed. The default behavior is to
create file-objects for use by ltm components. This is the same as
specifying "ltm" for this property. If a component other than
"ltm" is specified then files will be installed/created into
locations where the specified components can find them. For
example, for component "webserver", keys and certs will be placed
in the webservers ssl directories.
country
Specifies the x509 country to be used in creation of the
certificate associated with the given key. The country must be a 2
letter country code.
curve-name
Specifies the curve name to be used in creation of elliptic curve
(EC) key. This options applies only when generating EC keys.
Default value is prime256v1.
email-address
Specifies the x509 email-address to be used in creation of the
certificate associated with the given key.
from-editor
Specifies that the key should be obtained from a text editor
session. This allows keys to be imported via cut-n-paste from
another location as long as they are in a text representation.
from-local-file
Specifies a local file path from which a key is to be copied.
from-url
Specifies a URI which is to be used to obtain a key for import
into the configuration of the system.
The URL syntax is protocol dependent. Supported schemes are
"HTTP", "HTTPS", "FTP", "FTPS" & "FILE."
no-overwrite
Specifies option of not overwriting a key if it is in the scope.
gen-certificate
Specifies that in addition to generating a key, a self-signed
certificate will also be created. If this option is specified then
x509 attributes should also be specified. Minimally, you must also
specify a common-name.
gen-csr
Specifies that a certificate signing request should be generated
along with the key. The CSR will be displayed to the terminal for
the purposes of use in getting a certificate signed by an outside
authority. X509 attributes must also be specified.
key-size
Specifies the size, in bits, of the key to be generated. This
option does not apply when generating EC keys.
key-type
Specifies the type of cryptographic key to be generated. Default
is rsa-private.
lifetime
Specifies the certificate life time to be used in creation of the
certificate associated with the given key.
organization
Specifies the x509 organization to be used in creation of the
certificate associated with the given key.
ou Specifies the x509 organizational unit to be used in creation of
the certificate associated with the given key.
prompt-for-password
Specifies that a password should be prompted for and then used as
a challenge password in generation of the CSR (Certificate Signing
Request).
security-type
Specifies the level of security used in storing the key in
question. For example a security-type of FIPS means that the key
should be stored on a FIPS card if one is available.
state
Specifies the x509 state or province of the certificate associated
with the given key.
passphrase
Specifies an optional passphrase with which the key has been
protected. It may be used by consumers of the key in the data-
plane or control-plane to decrypt it.
subject-alternative-name
Specifies standard X.509 extensions as shown in RFC 2459. Allowed
values e.g. DNS:example.com, IP:192.168.1.1, IP:12:34,
email:user@example.com, URI:http://www.example.com
SEE ALSO
create, install, show, list, delete, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013, 2015-2016. All rights
reserved.
BIG-IP 2016-04-12 sys crypto key(1)