sys crypto cert¶

sys crypto cert(1) BIG-IP TMSH Manual sys crypto cert(1)

NAME
cert - Manage cryptographic certificates on the BIG-IP(r) system.

MODULE
sys crypto

SYNTAX
Manage cryptographic certs using the syntax in the following section.

CREATE
create cert [name]
options:
city [string]
common-name [string]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
country [string]
email-address [string]
key [string]
lifetime [days]
organization [string]
ou [string]
state [string]
subject-alternative-name [string]

MODIFY
modify cert [name]
options:
cert-validation-options [none | ocsp]
cert-validators [none | [cert_validator_name]]
issuer-cert [none | [issuer_cert_name]]

DELETE
delete cert [name]

DESCRIPTION
You can use the cert component to create, install, and delete cryptographic certificates, and bundles.

EXAMPLES
create cert example key testkey.key common-name "My Company Inc." country "US"

Generates a self signed certificate named "example.crt". A key with the specified name "testkey.key" in this
case must be installed on the system in order for this operation to succeed. The cert extension (".crt") will
be appended to the created cert name if it is not already provided in the name.

create cert /myfolder/example key testkey.key common-name "My Company Inc." country "US"

Similar to above, but creates the cert "example.crt" in the folder "/myfolder" instead of the default
"/Common". The specified folder "/myfolder" must already exist in order for this operation to succeed.

create cert server2 key server2.key common-name "My Company Inc." country "US" consumer webserver

Generates a self-signed certificate named server2.crt. The consumer attribute, "webserver", is used to cause
the files to be placed directly in the path which can be found by the BIG-IP system httpd. A pre-existing key
named "server2.key" must exist in the web server's key path in order for this operation to succeed. Please
note that for non LTM consumer's key and cert names must be the same.

install cert example from-editor

Opens an interactive editor session into which can be pasted a certificate for import into the BIG-IP system.
A certificate file-object will be created with the name example which contains the contents saved from the
editor session.

install cert example from-local-file /tmp/example.crt

Obtains a certificate from the file located at /tmp/example.crt.

install cert example from-url http://example.com/example.crt

Obtains a certificate from a remote host, based on the URI specified.

modify sys crypto cert leaf.crt issuer-cert issuer.crt cert-validators add { my_ocsp1 } cert-validation-
options { ocsp }

Assigns issuer certificate issuer.crt to the certificate leaf.crt, associates the OCSP certificate validator
my_ocsp to the certificate, and enables the OCSP certificate validator for this certificate.

delete cert example.crt

Deletes the certificate "example.crt" from the system.

OPTIONS
cert-validation-options
Specifies the option used for validating the certificate status.

cert-validators
Specifies the name of the cert-validators used for validating the certificate status. Each cert-
validation type can only have one cert-validator.

city Specifies the x509 city field to be used in creation of the certificate.

common-name
Specifies the x509 common-name to be used in creation of the certificate.

consumer
Specifies the system component by which a certificate will be consumed. The default behavior is to create
file-objects for use by ltm components. This is the same as specifying "ltm" for this property. If a
component other than "ltm" is specified then files will be installed/created in locations where the
specified components can find them. For example, for component "webserver", certificates will be placed
in the webservers ssl directories.

country
Specifies the x509 country to be used in creation of the certificate. The country must be a 2 letter
country code.

email-address
Specifies the x509 email-address to be used in creation of the certificate.

fingerprint
Displays the SHA-256 fingerprint of the certificate.

from-editor
Specifies that the certificate should be obtained from a text editor session. This allows certificates to
be imported via cut-n-paste from another location as long as they are in a text representation.

from-local-file
Specifies a local file path from which a certificate is to be copied.

from-url
Specifies a URI which is to be used to obtain a certificate for import into the system.

The URL syntax is protocol dependent. Supported schemes are "HTTP", "HTTPS", "FTP", "FTPS" & "FILE."

issuer-cert
Specifies the name of the issuer certificate for this certificate.

no-overwrite
Specifies option of not overwriting a certificate if it is in the scope.

key Specifies a key from which a certificate should be generated when using the create command.

organization
Specifies the x509 organization to be used in creation of the certificate.

ou Specifies the x509 organizational unit to be used in creation of the certificate.

state
Specifies the x509 state or province of the certificate.

subject-alternative-name
Specifies standard X.509 extensions as shown in RFC 2459. Allowed values e.g. DNS:example.com,
IP:192.168.1.1, IP:12:34, email:user@example.com, URI:http://www.example.com

SEE ALSO
create, install, modify, delete, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

BIG-IP 2017-05-01 sys crypto cert(1)