Thanks PhoneBoy. Your approach is very interesting and a clean way to create and distribute certificates. In fact we have to create the users and a certificate for each user. With your solution the seccond part would be solved. Is there a way to create the users from script or CSV file?

Since there's no API support for it at the moment, you will have to use the generic-object API to do it.

Jim has explained it all in detail in this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-new-user-and-assign-to-an-exi...

/Sigbjorn

The manual "Management API Reference v1.6.1" describes the ability to create certificate and registration keys for users.

But I don't understand the syntax. I need to get a registration key. What's wrong?

> set user name test05 certificates add
code: "generic_err_invalid_parameter"
message: "Invalid parameter for [certificates]. The invalid value: [add]"

Hey, i have the same problem, did you find a way to execute this command?

Nesting must be used. Example: 

How is the nesting handled with mgmt_cli?

I believe, using the example above, it’s something like: set user name test05 certificates.add.registration-key.expiration-days 14

Thanks @PhoneBoy !!!

I have SSHed in the management server and used that info to try to generate a user certificate ant worked!

But I've run into another problem I generateed the certificate using the mgmt_cli like below:

set user name test05 certificates.add.certificate-file.password "mypass"

However, I don't know where is the certificate saved? Do you have any idea where it is saved? The command was executed in /home/admin but there p12 file was not there.

Hi vishardb

The command "set user" returns the certificates as result. If the user has more than one certificate you have to select the correct one.
I have built a script to create VPN users and certificates from a CSV file and I use the word "Zert" in the certificate comment field in order to identify the new certificate.

In my Windows script the command to create and get the certificate for an existing user (username=newuser, password=newpassword) is:

mgmt_cli -s session.id set user name "newuser" certificates.add.certificate-file.password "newpassword" certificates.add.certificate-file.comment "Zert" --format json | jq-win64.exe -r ".certificates[] | select(.comments==\"Zert\") |.\"base64-certificate\"" > certb64.tmp
certutil -decode certb64.tmp newuser.p12

Thank you for feedback @Alejandro_Lansa!

You mentioned that you are doing this from your Windows machine. Our policy requires us to login with a certificate, do you know if I can use mgmt_cli from Windows with a certifcate?

As far as I know, yes.
You can review the command line options supported by running mgmt_cli without any arguments.
You can also set your admin user to use API keys, which might be better to use in a fully automated situation.

Thank you @PhoneBoy  I think the API key would be much better.

For accountability and auditing, we need to use individual/unique accounts when managing the firewall. 

After I reviewed API Key Authentication (checkpoint.com) and saw that an API key can only be created for a new account.

I also tried mgmt_cli add api-key but got the error "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

Can you help me understand what I did wrong?

Right, because SmartConsole users aren’t created in same “domain” as Access Policy and Threat Prevention rules/objects.
It requires a separate login to the System Domain where these users can be modified (see: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login~v1.9%20 )