- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: Script to create users and their certificates
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Script to create users and their certificates
Hi
Our company is sending most of its employees to work from home in order to protect us from covid-19. We are relying on Checkpoint VPN Mobile Client to provide connectivity to our virtual Wokplaces.
Because of that, I have to create a large list of users on our Check Point firewall and their associated certificate (internalCA) Is there a way to automate user and certificate creation? I have created some manually, but that is not efficient.
Thanks,
Alex Lansac
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
However, there is a different approach you can take.
You can generate registration keys for each of your users which they can enter into their VPN client to generate a key on the fly.
You can see the process for generating these keys and mailing them to users demonstrated here: https://community.checkpoint.com/t5/Check-Point-for-Beginners-CP4B/Installing-Remote-Access-VPN-and-...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks PhoneBoy. Your approach is very interesting and a clean way to create and distribute certificates. In fact we have to create the users and a certificate for each user. With your solution the seccond part would be solved. Is there a way to create the users from script or CSV file?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since there's no API support for it at the moment, you will have to use the generic-object API to do it.
Jim has explained it all in detail in this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Add-new-user-and-assign-to-an-exi...
/Sigbjorn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The manual "Management API Reference v1.6.1" describes the ability to create certificate and registration keys for users.
But I don't understand the syntax. I need to get a registration key. What's wrong?
> set user name test05 certificates add
code: "generic_err_invalid_parameter"
message: "Invalid parameter for [certificates]. The invalid value: [add]"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, i have the same problem, did you find a way to execute this command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nesting must be used. Example:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How is the nesting handled with mgmt_cli?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe, using the example above, it’s something like: set user name test05 certificates.add.registration-key.expiration-days 14
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @PhoneBoy !!!
I have SSHed in the management server and used that info to try to generate a user certificate ant worked!
But I've run into another problem I generateed the certificate using the mgmt_cli like below:
set user name test05 certificates.add.certificate-file.password "mypass"
However, I don't know where is the certificate saved? Do you have any idea where it is saved? The command was executed in /home/admin but there p12 file was not there.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vishardb
The command "set user" returns the certificates as result. If the user has more than one certificate you have to select the correct one.
I have built a script to create VPN users and certificates from a CSV file and I use the word "Zert" in the certificate comment field in order to identify the new certificate.
In my Windows script the command to create and get the certificate for an existing user (username=newuser, password=newpassword) is:
mgmt_cli -s session.id set user name "newuser" certificates.add.certificate-file.password "newpassword" certificates.add.certificate-file.comment "Zert" --format json | jq-win64.exe -r ".certificates[] | select(.comments==\"Zert\") |.\"base64-certificate\"" > certb64.tmp
certutil -decode certb64.tmp newuser.p12
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for feedback @Alejandro_Lansa!
You mentioned that you are doing this from your Windows machine. Our policy requires us to login with a certificate, do you know if I can use mgmt_cli from Windows with a certifcate?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know, yes.
You can review the command line options supported by running mgmt_cli without any arguments.
You can also set your admin user to use API keys, which might be better to use in a fully automated situation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @PhoneBoy I think the API key would be much better.
For accountability and auditing, we need to use individual/unique accounts when managing the firewall.
After I reviewed API Key Authentication (checkpoint.com) and saw that an API key can only be created for a new account.
I also tried mgmt_cli add api-key but got the error "This command can work only on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain)."
Can you help me understand what I did wrong?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right, because SmartConsole users aren’t created in same “domain” as Access Policy and Threat Prevention rules/objects.
It requires a separate login to the System Domain where these users can be modified (see: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/login~v1.9%20 )