topic Re: VPN User Certificates in API / CLI Discussion

VPN User Certificates

biskit — Wed, 20 Apr 2022 09:48:01 GMT

Is there a way via API to generate a new user "Registration Key for certificate enrollment" for a given user?

The equivalent of this in SmartConsole?

I have a looong list of users to issue certificate registration keys for and to save a lot of time I want to do this via API and get all the usernames/codes outputted to a file? (The user objects already exist - I just need the API syntax to generate a new registration code and capture that code somehow)

Re: VPN User Certificates

StuartGreen — Wed, 20 Apr 2022 14:11:04 GMT

Hi Matt,

Will the batch creation tool in the UI work for this? If not - a little bit of scripting around something like this should work (and you can replace the root login with something more suitable in your environment of course).

mgmt_cli -r true set user name tempuser certificates.add.1.registration-key.comment "new reg key"

mgmt_cli -r true show user name tempuser show-certificates true --format json | jq '.certificates[0]."registration-key"'

The jq part will return the first registration key present for the user, so you might want to sort them on date created to get the most recent, or filter it based on the comment you provided.

Re: VPN User Certificates

biskit — Thu, 21 Apr 2022 17:08:31 GMT

Thanks Stuart, that's almost awesome! 😂 I just couldn't find the syntax anywhere for generating reg keys so thanks for your reply.

The first command to generate a new registration key works fine.

The second command gives me an error...

If I run:

> show user name mattdunn show-certificates true

...then it returns all of my user info, including a line showing the cert registration key, so it seems there's something funky not quite right with the --format switch? Do you have any ideas?

Cheers,

Matt

Re: VPN User Certificates

StuartGreen — Thu, 21 Apr 2022 19:15:41 GMT

Hmm, that's odd. Works ok for me on R81.10 management:

The > at the start of your second line makes it look like there are some unbalanced quotes in there. The only quotes should be those around the value after jq. Single quotes around the whole string and double quotes around registration-key.

Try it without the | jq bit and you should just get the JSON format output from the mgmt_cli command.

Re: VPN User Certificates

biskit — Fri, 22 Apr 2022 07:43:19 GMT

I'm on R81.10 too, using the Command Line accessible from SmartConsole in this instance.

I'm running:

show user name mattdunn show-certificates true --format json | jq '.certificates[0]."registration-key"'

I copy/pasted from your original post so I know I have the correct quote symbols... With or without the | jq part I still get the error about missing parameters. Odd. I'll keep having a play and see what I come up with... 😀

Re: VPN User Certificates

biskit — Fri, 22 Apr 2022 07:50:25 GMT

Ah!! Just for a laugh I tried exactly the same command from a normal SSH session instead and it works! I'm not sure what the difference is, but happy days 😀

Thanks for your help!

Re: VPN User Certificates

StuartGreen — Fri, 22 Apr 2022 10:33:43 GMT

awesome news 🙂

The CLI in Smart Console is fine for pure API commands, but because the JQ tool is an external tool (eg, not part of mgmt_cli) you'll need to call that from an expert mode session. I'd guess that the Smart Console terminal tried to interpret the pipe and everything after it as API arguments.

Re: VPN User Certificates

biskit — Fri, 22 Apr 2022 10:44:59 GMT

I've since hit another snag which I'm trying to work around... I've found if the user has already got a cert issued, or has had one in the past, a record of those active/revoked certs is still in the user details (if you run the show command without the json filter on the end), so in that case, even though somewhere in the user info output there is a new Registration Key code, your command just returns "null".

So it seems to only work for the very first time you issue a cert. If you want to revoke and issue another code the "show" command doesn't work. I presume there's a way to essentially do the equivalent of a | grep registration-key to show the code?

I'm useless at API/json commands but I'll have a Google and see what I can find...

Cheers,

Matt

Re: VPN User Certificates

StuartGreen — Fri, 22 Apr 2022 11:33:17 GMT

ahh yes you'll need to apply some filtering either in your script or with JQ. JQ can be a really useful tool, but sometimes it's not very friendly. If as part of your script for creating the registration key you create a random string for the comment (or at least something unique that can identity the new reg key) you can do something like this...

create the key with the unique comment / token:

mgmt_cli -r true set user name tempuser certificates.add.1.registration-key.comment "tempuserNEWKEY22"

Then to get the registration key which matches the unique comment:

mgmt_cli -r true show user name tempuser show-certificates true --format json | jq '.certificates[] | select(.comments == "tempuserNEWKEY22") | ."registration-key"'

That will return the reg key that matches the comment you provide.

Re: VPN User Certificates

biskit — Fri, 22 Apr 2022 13:06:29 GMT

Awesome, thanks Stuart! I'll do some more testing but that appears to work 😁