topic Re: Creating user a certificate via API in API / CLI Discussion

Creating user a certificate via API

Nick10 — Fri, 23 Oct 2020 18:59:16 GMT

Hello! I'm trying to automate the process of creating a user and their .p12 certificate for vpn access using the API

My code's process is the following

Create user
publish
Create cert
publish
install

Now the api says it returns

base64-certificate

string

Certificate file encoded in base64.
File format: .P12.

but I'm not sure what to do with the base64 returned by the API. I've tried converting it to binary and saving it as a .p12, but that file doesn't work, and I've also tried just taking the base64 string and saving it as a .p12, but that also isn't working.

I feel like I'm missing something pretty simple here. Could someone help me out?

Thanks,

Nicholas

Re: Creating user a certificate via API

Jim_Oqvist — Fri, 23 Oct 2020 21:35:17 GMT

Hi Nicholas

Have you tried to base64 decode the string and save the output in a p12 file?

There is a more fancy way where you can just pick the value from the JSON collection using jq, but you can use below line as a simple test.

echo base64-certificate-string | base64 --decode -i > mycert.p12

Kind Regards

Jim

Re: Creating user a certificate via API

Nick10 — Fri, 23 Oct 2020 22:03:44 GMT

Hello! Thanks for your response

I've tried your suggestion but had a result similar to other attempts. When I tried to use the resulting cert it did not work when attempting to connect to the VPN, and when I tried to check it out with openssl the decrypt failed(Although it let me enter the password)

Here is my attempt to view it with openssl

openssl pkcs12 -info -in mycert.p12

Enter Import Password:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1
Bag Attributes
friendlyName: coanbase64
localKeyID: (Not sure if this value is significant security wise so redacting it)
1.3.18.0.2.28.24: IBM_SDK_JAVA_8_PKCS12
Error outputting keys and certificates
140042861278528:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:583:
140042861278528:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:62:
140042861278528:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:93:

It seems to have some of the correct info: coanbase64 is the name of the user I created to test this

Re: Creating user a certificate via API

Jim_Oqvist — Tue, 27 Oct 2020 12:11:48 GMT

Hi Nicholas,

I just want to update you. I tried it and are getting the same result as you. I have reached out to R&D and asked them share the inform on how to correctly convert the base64-certificate string into a p12 certificate file. I will update this thread once I have more information.

Kind Regards
Jim

Re: Creating user a certificate via API

Nick10 — Mon, 02 Nov 2020 16:23:09 GMT

Thanks, I appreciate you looking into it!

Re: Creating user a certificate via API

Jim_Oqvist — Tue, 03 Nov 2020 14:50:20 GMT

Just to update, R&D is still investigating.

Re: Creating user a certificate via API

Nick10 — Thu, 05 Nov 2020 15:25:00 GMT

Thanks for the update! Hopefully this results in some clarification for all that helps improve the usability of this already awesome API!

Re: Creating user a certificate via API

Jim_Oqvist — Mon, 16 Nov 2020 15:55:46 GMT

Hi Nicholas,

After investigation this, R&D have concluded that there is an issue with the export of the certificate. They have found the root cause to the issue and will deliver a fix in a JHF for R80.30/R80.40/R81.

If you would like to have a private HF before a JHF with the fix is released. Please open a Support Request (SR) with our TAC, for your convenience, you can use one of the following PRJs as a reference to the issue:

PRJ-19533 R80.30 JHF
PRJ-19534 R80.40 JHF
PRJ-19535 R81 JHF

In the SR specify the PRJ that relevant for your version to get a private HF for your version.

Please note that you will need to include a cpinfo of your management server when opening the SR to allow TAC and R&D to create a private HF specifically for your environment.

Kind Regards

Jim

Re: Creating user a certificate via API

PhoneBoy — Sun, 09 May 2021 23:47:03 GMT

When you have the correct version/JHF applied, extracting the certificate can be done as follows (thanks @Ryan_Darst :))

[Expert@R81-Connect:0]# mgmt_cli -r true -f json add user name ryand
[Expert@R81-Connect:0]# mgmt_cli -r true -f json set user name ryand certificates.add.certificate-file.password vpn123 certificates.add.certificate-file.comment certificate_1 | jq -r '.certificates[] | select(.comments == "certificate_1") | ."base64-certificate"' | base64 --decode -i > ryand.p12

[Expert@R81-Connect:0]# cpopenssl pkcs12 -in ./ryand.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8

OUTPUT removed 😊

udsEHtXCTPz3RGNALHEcIA==
-----END ENCRYPTED PRIVATE KEY-----