topic Re: Script to create users and their certificates in API / CLI Discussion

Script to create users and their certificates

Alejandro_Lansa — Fri, 27 Mar 2020 15:49:09 GMT

Our company is sending most of its employees to work from home in order to protect us from covid-19. We are relying on Checkpoint VPN Mobile Client to provide connectivity to our virtual Wokplaces.

Because of that, I have to create a large list of users on our Check Point firewall and their associated certificate (internalCA) Is there a way to automate user and certificate creation? I have created some manually, but that is not efficient.

Thanks,

Alex Lansac

Re: Script to create users and their certificates

PhoneBoy — Sat, 28 Mar 2020 02:33:22 GMT

There aren't formal APIs for this.
However, there is a different approach you can take.

You can generate registration keys for each of your users which they can enter into their VPN client to generate a key on the fly.
You can see the process for generating these keys and mailing them to users demonstrated here: https://community.checkpoint.com/t5/Check-Point-for-Beginners-CP4B/Installing-Remote-Access-VPN-and-Mobile-Access-Blade-from/ba-p/79723#distregkey

Re: Script to create users and their certificates

Alejandro_Lansa — Mon, 30 Mar 2020 05:35:23 GMT

Thanks PhoneBoy. Your approach is very interesting and a clean way to create and distribute certificates. In fact we have to create the users and a certificate for each user. With your solution the seccond part would be solved. Is there a way to create the users from script or CSV file?

Re: Script to create users and their certificates

Sigbjorn — Mon, 30 Mar 2020 08:54:00 GMT

Since there's no API support for it at the moment, you will have to use the generic-object API to do it.

Jim has explained it all in detail in this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-new-user-and-assign-to-an-existing-group-using-the-generic/m-p/39687

/Sigbjorn

Re: Script to create users and their certificates

CepKpy — Thu, 15 Oct 2020 14:01:01 GMT

The manual "Management API Reference v1.6.1" describes the ability to create certificate and registration keys for users.

But I don't understand the syntax. I need to get a registration key. What's wrong?

> set user name test05 certificates add
code: "generic_err_invalid_parameter"
message: "Invalid parameter for [certificates]. The invalid value: [add]"

Re: Script to create users and their certificates

even — Wed, 27 Oct 2021 15:04:13 GMT

Hey, i have the same problem, did you find a way to execute this command?

Re: Script to create users and their certificates

a38c9a68-afd0-4 — Fri, 11 Feb 2022 14:16:28 GMT

Nesting must be used. Example:

{{server}}/set-user

{

"name" : "testlogin-1234",

"details-level" : "full",

"certificates" : {

"add" : {

"registration-key" : {

"expiration-days" : "14"

}

___________________

details-level" : "full" -- needed to get the token from the response

If you need other parameters, then use them.

Important! First, create a user, publish, and then set up a certificate. Same as in smart console.

Re: Script to create users and their certificates

vishardb — Thu, 01 Dec 2022 15:00:05 GMT

How is the nesting handled with mgmt_cli?

Re: Script to create users and their certificates

PhoneBoy — Thu, 01 Dec 2022 15:22:35 GMT

I believe, using the example above, it’s something like: set user name test05 certificates.add.registration-key.expiration-days 14

Re: Script to create users and their certificates

vishardb — Thu, 01 Dec 2022 15:39:08 GMT

Thanks @PhoneBoy !!!

I have SSHed in the management server and used that info to try to generate a user certificate ant worked!

But I've run into another problem I generateed the certificate using the mgmt_cli like below:

set user name test05 certificates.add.certificate-file.password "mypass"

However, I don't know where is the certificate saved? Do you have any idea where it is saved? The command was executed in /home/admin but there p12 file was not there.

Re: Script to create users and their certificates

Alejandro_Lansa — Fri, 02 Dec 2022 06:28:38 GMT

Hi vishardb

The command "set user" returns the certificates as result. If the user has more than one certificate you have to select the correct one.
I have built a script to create VPN users and certificates from a CSV file and I use the word "Zert" in the certificate comment field in order to identify the new certificate.

In my Windows script the command to create and get the certificate for an existing user (username=newuser, password=newpassword) is:

mgmt_cli -s session.id set user name "newuser" certificates.add.certificate-file.password "newpassword" certificates.add.certificate-file.comment "Zert" --format json | jq-win64.exe -r ".certificates[] | select(.comments==\"Zert\") |.\"base64-certificate\"" > certb64.tmp
certutil -decode certb64.tmp newuser.p12

Re: Script to create users and their certificates

vishardb — Mon, 05 Dec 2022 08:18:11 GMT

Thank you for feedback @Alejandro_Lansa!

You mentioned that you are doing this from your Windows machine. Our policy requires us to login with a certificate, do you know if I can use mgmt_cli from Windows with a certifcate?

Re: Script to create users and their certificates

PhoneBoy — Mon, 05 Dec 2022 15:26:58 GMT

As far as I know, yes.
You can review the command line options supported by running mgmt_cli without any arguments.
You can also set your admin user to use API keys, which might be better to use in a fully automated situation.

Re: Script to create users and their certificates

vishardb — Mon, 05 Dec 2022 17:31:52 GMT

Thank you @PhoneBoy I think the API key would be much better.

For accountability and auditing, we need to use individual/unique accounts when managing the firewall.

After I reviewed API Key Authentication (checkpoint.com) and saw that an API key can only be created for a new account.

I also tried mgmt_cli add api-key but got the error "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

Can you help me understand what I did wrong?

Re: Script to create users and their certificates

PhoneBoy — Mon, 05 Dec 2022 18:19:42 GMT

Right, because SmartConsole users aren’t created in same “domain” as Access Policy and Threat Prevention rules/objects.
It requires a separate login to the System Domain where these users can be modified (see: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login~v1.9%20 )