sys crypto cert
sys crypto cert(1) BIG-IP TMSH Manual sys crypto cert(1)
NAME
cert - Manage cryptographic certificates on the BIG-IP(r) system.
MODULE
sys crypto
SYNTAX
Manage cryptographic certs using the syntax in the following section.
CREATE
create cert [name]
options:
city [string]
common-name [string]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
country [string]
email-address [string]
key [string]
lifetime [days]
organization [string]
ou [string]
state [string]
subject-alternative-name [string]
INSTALL
install cert [name]
options:
cert-validation-options [none | ocsp]
cert-validators [none | [cert_validator_name]]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
from-editor
from-local-file [filename]
from-url [URL]
issuer-cert [none | [issuer_cert_name]]
no-overwrite
MODIFY
modify cert [name]
options:
cert-validation-options [none | ocsp]
cert-validators [none | [cert_validator_name]]
issuer-cert [none | [issuer_cert_name]]
DELETE
delete cert [name]
DESCRIPTION
You can use the cert component to create, install, and delete
cryptographic certificates, and bundles.
EXAMPLES
create cert example key testkey.key common-name "My Company Inc."
country "US"
Generates a self signed certificate named "example.crt". A key with the
specified name "testkey.key" in this case must be installed on the
system in order for this operation to succeed. The cert extension
(".crt") will be appended to the created cert name if it is not already
provided in the name.
create cert /myfolder/example key testkey.key common-name "My Company
Inc." country "US"
Similar to above, but creates the cert "example.crt" in the folder
"/myfolder" instead of the default "/Common". The specified folder
"/myfolder" must already exist in order for this operation to succeed.
create cert server2 key server2.key common-name "My Company Inc."
country "US" consumer webserver
Generates a self-signed certificate named server2.crt. The consumer
attribute, "webserver", is used to cause the files to be placed
directly in the path which can be found by the BIG-IP system httpd. A
pre-existing key named "server2.key" must exist in the web server's key
path in order for this operation to succeed. Please note that for non
LTM consumer's key and cert names must be the same.
install cert example from-editor
Opens an interactive editor session into which can be pasted a
certificate for import into the BIG-IP system. A certificate file-
object will be created with the name example which contains the
contents saved from the editor session.
install cert example from-local-file /tmp/example.crt
Obtains a certificate from the file located at /tmp/example.crt.
install cert example from-url http://example.com/example.crt
Obtains a certificate from a remote host, based on the URI specified.
modify sys crypto cert leaf.crt issuer-cert issuer.crt cert-validators
add { my_ocsp1 } cert-validation-options { ocsp }
Assigns issuer certificate issuer.crt to the certificate leaf.crt,
associates the OCSP certificate validator my_ocsp to the certificate,
and enables the OCSP certificate validator for this certificate.
delete cert example.crt
Deletes the certificate "example.crt" from the system.
OPTIONS
cert-validation-options
Specifies the option used for validating the certificate status.
cert-validators
Specifies the name of the cert-validators used for validating the
certificate status. Each cert-validation type can only have one
cert-validator.
city Specifies the x509 city field to be used in creation of the
certificate.
common-name
Specifies the x509 common-name to be used in creation of the
certificate.
consumer
Specifies the system component by which a certificate will be
consumed. The default behavior is to create file-objects for use
by ltm components. This is the same as specifying "ltm" for this
property. If a component other than "ltm" is specified then files
will be installed/created in locations where the specified
components can find them. For example, for component "webserver",
certificates will be placed in the webservers ssl directories.
country
Specifies the x509 country to be used in creation of the
certificate. The country must be a 2 letter country code.
email-address
Specifies the x509 email-address to be used in creation of the
certificate.
fingerprint
Displays the SHA-256 fingerprint of the certificate.
from-editor
Specifies that the certificate should be obtained from a text
editor session. This allows certificates to be imported via cut-n-
paste from another location as long as they are in a text
representation.
from-local-file
Specifies a local file path from which a certificate is to be
copied.
from-url
Specifies a URI which is to be used to obtain a certificate for
import into the system.
The URL syntax is protocol dependent. Supported schemes are
"HTTP", "HTTPS", "FTP", "FTPS" & "FILE."
issuer-cert
Specifies the name of the issuer certificate for this certificate.
no-overwrite
Specifies option of not overwriting a certificate if it is in the
scope.
key Specifies a key from which a certificate should be generated when
using the create command.
organization
Specifies the x509 organization to be used in creation of the
certificate.
ou Specifies the x509 organizational unit to be used in creation of
the certificate.
state
Specifies the x509 state or province of the certificate.
subject-alternative-name
Specifies standard X.509 extensions as shown in RFC 2459. Allowed
values e.g. DNS:example.com, IP:192.168.1.1, IP:12:34,
email:user@example.com, URI:http://www.example.com
SEE ALSO
create, install, modify, delete, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2013. All rights reserved.
BIG-IP 2017-05-01 sys crypto cert(1)