sys crypto key¶

sys crypto key(1) BIG-IP TMSH Manual sys crypto key(1)

NAME
key - Manage cryptographic keys and related objects on the BIG-IP(r) system.

MODULE
sys crypto

SYNTAX
Manage cryptographic keys and related objects of the sys crypto module using the syntax in the following
section.

CREATE
create key [name]
options:
challenge-password [string]
admin-email-address [string]
city [string]
common-name [string]
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
country [string]
curve-name [prime256v1 | secp384r1 | secp521r1]
email-address [string]
key-size [512 | 1024 | 2048 | 4096]
key-type [dsa-private | ec-private | rsa-private]
lifetime [days]
organization [string]
ou [string]
passphrase [passphrase]
prompt-for-password
security-type [fips | normal | password | nethsm]
state [string]
subject-alternative-name [string]
cert-order-manager [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
check-status [yes | no]
order-id [string | none]
order-passphrase [string | none]
order-type [cancel | new | renew | revoke]
revoke-reason [AACompromise | affiliationChanged | cessationOfOperation | removeFromCRL | unspecified | CACompromise | certificateHold |keyCompromise | privilegeWithdrawn | superseded]
}
}

MODIFY
modify key [name]
options
cert-order-manager [add | delete | modify | replace-all-with] {
[ [name] ] {
options:
check-status [yes | no]
order-id [string | none]
order-passphrase [string | none]
order-type [cancel | new | renew | revoke]
revoke-reason [AACompromise | affiliationChanged | cessationOfOperation | removeFromCRL | unspecified | CACompromise | certificateHold |keyCompromise | privilegeWithdrawn | superseded]
}
}

SHOW
show key
show key [name | none] cert-order-manager

LIST
list key
list key [name]

INSTALL
install key [name]
options:
consumer
[enterprise-manager | iquery | iquery-big3d | ltm | webserver]
from-editor
from-local-file [filename]
from-url [URL]
from-nethsm
no-overwrite

DELETE
delete key [name]

DESCRIPTION
You can use the key component to create, show, list, install, and delete cryptographic keys and associated
cryptographic objects. The file-objects created by these operations can be used in other BigIP configuration
blocks such as ssl profiles.

EXAMPLES
create key mykey

Generates a 2048-bit (default-sized) RSA key file object named "mykey.key". The appropriate extension will be
added to the generated key/cert if not already a part of the provided name.

create key mykey key-type ec-private curve-name prime256v1

Generates a prime256v1 curve name EC private key file object named "mykey.key". The appropriate extension will
be added to the generated key/cert if it is not already a part of the provided name.

create key /myfolder/mykey

Similar to the above action except it creates the key "mykey.key" in the folder "/myfolder" instead of the
default "/Common". The specified folder "/myfolder" must already exist in order for this operation to succeed.

create key example gen-cert gen-csr common-name "My Company Inc." country "US"

Generates a 2048-bit (default-sized) RSA key file object named "example.key" and a self signed certificate
named "example.crt". Also, a certificate signing request will be printed to the console for use in obtaining a
signed certificate from a certificate authority, if desired.

create key my gen-cert gen-csr prompt-for-password common-name "My Company Inc." country "US"

Similar to the above action when creating key "my.key" except it also prompts for a password to be used as a
challenge password in the certificate authority signing procedure.

create key server2 gen-cert gen-csr common-name "My Company Inc." country "US" consumer webserver

Generates a key and self signed certificate identified by server2. The consumer attribute, "webserver", is
used to cause these files to be placed directly in the paths which can be found by the BigIP's httpd.

create key server gen-csr common-name "My Company Inc." country "US" cert-order-manager add { certmgr {
order-type new } }

Generates a key and CSR identified by server. Associates cert-order-manager object "certmgr" with the key and
makes a "new" certificate order to the CA.

show key

Shows the number of keys installed in the system.

show key cert-order-manager

Shows certificate order statistics if a cert-order-manager object is associated with key.

list key example.key

Lists all details of the key named "example.key". A key with the specified name "example.key" in this case
must already be installed on the system in order for this operation to succeed.

list key

Lists all details of all keys installed in the system.

install key example from-editor

Opens an interactive editor session into which it a key for import into the BigIP system can be pasted. A key
file-object will be created with the name example which contains the contents saved from the editor session.

install key example from-local-file /tmp/example.key

Obtains a key from the file located at /tmp/example.key.

install key example from-url http://example.com/my.key

Obtains a key from a remote host that is based on the URI specified.

delete key example.key

Deletes the key "example.key" from the system.

OPTIONS
challenge-password
Specifies the challenge password to create the certificate request key.

admin-email-address
Specifies the administrator email-address to be used in creation of the certificate request associated
with the given key.

city Specifies the x509 city field to be used in creation of the certificate associated with the given key.

common-name
Specifies the x509 common-name to be used in creation of the certificate associated with the given key.

consumer
Specifies the system component by which a key and/or associated cryptographic file will be consumed. The
default behavior is to create file-objects for use by ltm components. This is the same as specifying
"ltm" for this property. If a component other than "ltm" is specified then files will be
installed/created into locations where the specified components can find them. For example, for component
"webserver", keys and certs will be placed in the webservers ssl directories.

country
Specifies the x509 country to be used in creation of the certificate associated with the given key. The
country must be a 2 letter country code.

curve-name
Specifies the curve name to be used in creation of the elliptic curve (EC) key. This option only applies
when generating EC keys. The default value is prime256v1.

email-address
Specifies the x509 email-address to be used in creation of the certificate associated with the given key.

from-editor
Specifies that the key should be obtained from a text editor session. This allows keys to be imported via
cut-n-paste from another location as long as they are in a text representation.

from-local-file
Specifies a local file path from which a key is to be copied.

from-url
Specifies a URI which is to be used to obtain a key for import into the configuration of the system.

The URL syntax is protocol dependent. Supported schemes are "HTTP", "HTTPS", "FTP", "FTPS" & "FILE."

from-nethsm
Specifies an option to import an existing key from network-HSM to BIG-IP config. The key label is
specified as the key name to identify the key to be imported from network-HSM.

no-overwrite
Specifies the option for not overwriting a key if it is in the scope.

gen-certificate
Specifies that in addition to generating a key, a self-signed certificate will also be created. If this
option is specified then x509 attributes should also be specified. Minimally, you must also specify a
common-name.

gen-csr
Specifies that a certificate signing request should be generated along with the key. The CSR will be
displayed to the terminal for the purposes of use in getting a certificate signed by an outside
authority. X509 attributes must also be specified.

key-size
Specifies the size, in bits, of the key to be generated. This option does not apply when generating EC
keys.

key-type
Specifies the type of cryptographic key to be generated. Default is rsa-private.

lifetime
Specifies the certificate life time to be used in creation of the certificate associated with the given
key.

organization
Specifies the x509 organization to be used in creation of the certificate associated with the given key.

ou Specifies the x509 organizational unit to be used in creation of the certificate associated with the
given key.

prompt-for-password
Specifies that a password should be prompted for and then used as a challenge password in generation of
the CSR (Certificate Signing Request).

security-type
Specifies the level of security used in storing the key in question. For example, a security-type of FIPS
means that the key should be stored on a FIPS card if one is available.

state
Specifies the x509 state or province of the certificate associated with the given key.

passphrase
Specifies an optional passphrase with which the key has been protected. It may be used by consumers of
the key in the data-plane or control-plane to decrypt it.

subject-alternative-name
Specifies standard X.509 extensions as shown in RFC 2459. Allowed values e.g. DNS:example.com,
IP:192.168.1.1, IP:12:34, email:user@example.com, URI:http://www.example.com

cert-order-manager
Specifies an optional cert-order-manager to be associated with the key.

check-status
Specifies that it checks the status of a certificate order. This command triggers an immediate status
check query with CA for a current pending certificate order.

order-id
Specifies the order id for a certificate order. This order id is provided by the CA and the bigip stores
it in the order-id field. Order id is required for certificate renewal and revoke. If the first
certificate was not orginally ordered from the bigip, the user needs to enter the order-id manually
before making a certificate renewal or revoke.

order-passphrase
Specifies the order challenge passphrase. This is a CA specific requirement. Some CA's require a
challenge passphrase for making a certificate order.

order-type
Specifies the type of certificate order to authority.

new : Make a new certificate order to the CA.

renew : Make a certificate renewal order to the CA.

revoke : Make a certificate revoke order to the CA.

cancel : Tries to cancel the previous certificate order.

revoke-reason
Specifies the reason for certificate revoke.

SEE ALSO
create, install, show, list, delete, tmsh

COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.

BIG-IP 2018-07-18 sys crypto key(1)