sys crypto ca-bundle-managerΒΆ

sys crypto ca-bundle-manager(1) 		  BIG-IP TMSH Manual		      sys crypto ca-bundle-manager(1)

NAME
       ca-bundle-manager - Certificate Authority (CA) certificate bundle manager on the BIG-IP(r) system.

MODULE
       sys crypto

SYNTAX
       A ca-bundle-manager manages cryptographic ca-bundles using the syntax given in the following sections.

   CREATE/MODIFY
	 create ca-bundle-manager [name]
	 modify ca-bundle-manager [name]
	   options:
	     description [string]
	     exclude_bundle
	       [add | delete | replace-all-with] ] {
		  [cert file obj] ...
	     }
	     exclude_url
	       [add | delete | replace-all-with] ] {
		  [url] ...
	     }
	     include_bundle
	       [add | delete | replace-all-with] ] {
		  [cert file obj] ...
	     }
	     include_url
	       [add | delete | replace-all-with] ] {
		  [url] ...
	     }
	     proxy-server [ [hostname] | [ipv4] | [ipv6] ]
	     proxy-port [ port number ]
	     trusted-ca-bundle [certificate file object]
	     update-interval [days]
	     time-out [seconds]
	     update-now [yes | no]

   LIST
	 list ca-bundle-manager [name]
	   options:
	     -hidden

   DELETE
	 delete ca-bundle-manager [name]

DESCRIPTION
       You can use the ca-bundle-manager component to automatically update and install CA-bundles on the system from
       two sources - local certificate file objects and remote URL resources, using set include/exclude operations.
       The set include/exclude operations are equivalent to mathematical set addition/subtraction operations. For
       example, the user may use include-bundle and include-url options to combine CA-certificates from various
       sources, and use exclude-bundle and exclude-url options to remove certain CA-certificates from the final CA-
       bundle file. The generated CA-bundle file will be installed as a certificate-file-object on the system, and
       used as trusted CA-bundle by other modules. Additionally, the user may set the update frequency of the CA-
       bundle, or use web proxy for downloading the remote URL resources. By default, a newly created CA-bundle
       manager does not create or update the managed CA-bundle object unless it has a positive update interval or
       being explicitly told to do so by the update-now option. Additionally, the calculated CA-bundle must contain
       at least two CA certificates to be installed on the system.

EXAMPLES
       modify sys crypto ca-bundle-manager bmgr include-bundle add { ca-bundle.crt } include-url add {
       https://ca.f5net.com/ca-bundle.crt } trusted-ca-bundle trusted-ca-chain.crt update-interval 30

       Creates a ca-bundle-manager bmgr from two sources, one is a locally installed certificate file object
       ca-bundle.crt, and the other is from remote URL resource https://ca.f5net.com/ca-bundle.crt using trusted CA
       bundle . bmgr is refreshed from the two sources every 30 days.

       modify sys crypto ca-bundle-manager bmgr update-now yes

       Extending from above example, this command triggers an immediate update of the generated ca-bundle from its
       sources.

       list sys crypto ca-bundle-manager bmgr -hidden

       Shows all the properties of the ca-bundle-manager bmgr, including the hidden fields.

       delete sys crypto ca-bundle-manager bmgr

       Deletes the ca-bundle-manager bmgr from the system. Note that the generated ca-bundle certificate file object
       is not removed, and can still be used.

OPTIONS
       description
	    Specifies user defined description.

       include-bundle
	    Specifies a list of certificate file objects to include for generating the new ca-bundle.

       include-url
	    Specifies a list of remote ca-bundles at the URLs to include for generating the new ca-bundle.

       exclude-bundle
	    Specifies a list of certificate file objects to exclude from the new ca-bundle.

       exclude-url
	    Specifies a list of remote ca-bundles at the URLs to exclude from the new ca-bundle.

       partition Displays the administrative partition within which this ca-bundle-manager resides.
       proxy-server Specifies the host name or IP address of the proxy server for accessing remote URL resources.
       Only HTTP proxy is supported. Optional http:// may be prepended.
       proxy-port Specifies the port number of the proxy server for accessing remote URL resources. Default is 3128.
       trusted-ca-bundle
	    Specifies the trusted CA certificate bundle when downloading ca-bundles from the other URLs.

       update-interval
	    Specifies the update interval in days to refresh the remote ca-bundles at the URLs. Default value is 0,
	    which means the generated ca-bundle is not dynamically updated.

       time-out
	    Specifies the time-out period in seconds to download the remote ca-bundles at the URLs. The value ranges
	    between 1 and 3600 (1 hour). The default value is 8 seconds.

       update-now
	    Specifies whether the ca-bundle-manager should immediately refresh its generated ca-bundle from all its
	    sources and recalculate its certificate contents. The default value is no.

       updated-by
	    Specifies a read-only attribute from which this ca-bundle-manager was last updated.

       managed-bundle
	    Specifies a read-only attribute, which indicates the ca-bundle certificate file object name, managed by
	    this ca-bundle-manager.

SEE ALSO
       create, list, modify, delete, tmsh

COPYRIGHT
       No part of this program may be reproduced or transmitted in any form or by any means, electronic or
       mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
       other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

       F5 Networks and BIG-IP (c) Copyright 2009-2013, 2016. All rights reserved.

BIG-IP						      2017-09-05		      sys crypto ca-bundle-manager(1)