Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alejandro_Lansa
Participant

Script to create users and their certificates

Hi

Our company is sending most of its employees to work from home in order to protect us from covid-19. We are relying on Checkpoint VPN Mobile Client to provide connectivity to our virtual Wokplaces.

Because of that, I have to create a large list of users on our Check Point firewall and their associated certificate (internalCA) Is there a way to automate user and certificate creation? I have created some manually, but that is not efficient.

Thanks,

   Alex Lansac

 

0 Kudos
14 Replies
PhoneBoy
Admin
Admin

There aren't formal APIs for this.
However, there is a different approach you can take.

You can generate registration keys for each of your users which they can enter into their VPN client to generate a key on the fly.
You can see the process for generating these keys and mailing them to users demonstrated here: https://community.checkpoint.com/t5/Check-Point-for-Beginners-CP4B/Installing-Remote-Access-VPN-and-...
0 Kudos
Alejandro_Lansa
Participant

Thanks PhoneBoy. Your approach is very interesting and a clean way to create and distribute certificates. In fact we have to create the users and a certificate for each user. With your solution the seccond part would be solved. Is there a way to create the users from script or CSV file?

0 Kudos
Sigbjorn
Advisor
Advisor

Since there's no API support for it at the moment, you will have to use the generic-object API to do it.

Jim has explained it all in detail in this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-new-user-and-assign-to-an-exi...

 

/Sigbjorn

0 Kudos
CepKpy
Explorer

The manual "Management API Reference v1.6.1" describes the ability to create certificate and registration keys for users.

But I don't understand the syntax. I need to get a registration key. What's wrong?

> set user name test05 certificates add
code: "generic_err_invalid_parameter"
message: "Invalid parameter for [certificates]. The invalid value: [add]"

0 Kudos
even
Explorer

Hey, i have the same problem, did you find a way to execute this command?

0 Kudos
a38c9a68-afd0-4
Explorer

Nesting must be used. Example: 

{{server}}/set-user
{
  "name" : "testlogin-1234",
  "details-level" : "full",
  "certificates" :  {
      "add" : {
          "registration-key" : {
              "expiration-days" : "14"
          }
      }
  }
}
___________________
details-level" : "full"   -- needed to get the token from the response
If you need other parameters, then use them.
Important! First, create a user, publish, and then set up a certificate. Same as in smart console.
 
0 Kudos
vishardb
Participant

How is the nesting handled with mgmt_cli?

 

0 Kudos
PhoneBoy
Admin
Admin

I believe, using the example above, it’s something like: set user name test05 certificates.add.registration-key.expiration-days 14

vishardb
Participant

Thanks @PhoneBoy !!!

I have SSHed in the management server and used that info to try to generate a user certificate ant worked!

But I've run into another problem I generateed the certificate using the mgmt_cli like below:

set user name test05 certificates.add.certificate-file.password "mypass"

However, I don't know where is the certificate saved? Do you have any idea where it is saved? The command was executed in /home/admin but there p12 file was not there.

0 Kudos
Alejandro_Lansa
Participant

Hi vishardb

The command "set user" returns the certificates as result. If the user has more than one certificate you have to select the correct one.
I have built a script to create VPN users and certificates from a CSV file and I use the word "Zert" in the certificate comment field in order to identify the new certificate.

In my Windows script the command to create and get the certificate for an existing user (username=newuser, password=newpassword) is:

mgmt_cli -s session.id set user name "newuser" certificates.add.certificate-file.password "newpassword" certificates.add.certificate-file.comment "Zert" --format json | jq-win64.exe -r ".certificates[] | select(.comments==\"Zert\") |.\"base64-certificate\"" > certb64.tmp
certutil -decode certb64.tmp newuser.p12

(1)
vishardb
Participant

Thank you for feedback @Alejandro_Lansa!

You mentioned that you are doing this from your Windows machine. Our policy requires us to login with a certificate, do you know if I can use mgmt_cli from Windows with a certifcate?

0 Kudos
PhoneBoy
Admin
Admin

As far as I know, yes.
You can review the command line options supported by running mgmt_cli without any arguments.
You can also set your admin user to use API keys, which might be better to use in a fully automated situation.

vishardb
Participant

Thank you @PhoneBoy  I think the API key would be much better.

For accountability and auditing, we need to use individual/unique accounts when managing the firewall. 

After I reviewed API Key Authentication (checkpoint.com) and saw that an API key can only be created for a new account.

I also tried mgmt_cli add api-key but got the error "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."

Can you help me understand what I did wrong?

0 Kudos
PhoneBoy
Admin
Admin

Right, because SmartConsole users aren’t created in same “domain” as Access Policy and Threat Prevention rules/objects.
It requires a separate login to the System Domain where these users can be modified (see: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login~v1.9%20 )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events