Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
biskit
Advisor

VPN User Certificates

Is there a way via API to generate a new user "Registration Key for certificate enrollment" for a given user?

The equivalent of this in SmartConsole?

I have a looong list of users to issue certificate registration keys for and to save a lot of time I want to do this via API and get all the usernames/codes outputted to a file?   (The user objects already exist - I just need the API syntax to generate a new registration code and capture that code somehow)

Screenshot 2022-04-20 103552.png

0 Kudos
9 Replies
StuartGreen
Employee
Employee

Hi Matt,

 

Will the batch creation tool in the UI work for this? If not - a little bit of scripting around something like this should work (and you can replace the root login with something more suitable in your environment of course).

mgmt_cli -r true set user name tempuser certificates.add.1.registration-key.comment "new reg key"

mgmt_cli -r true show user name tempuser show-certificates true --format json | jq '.certificates[0]."registration-key"'

 

The jq part will return the first registration key present for the user, so you might want to sort them on date created to get the most recent, or filter it based on the comment you provided.

0 Kudos
biskit
Advisor

Thanks Stuart, that's almost awesome! 😂  I just couldn't find the syntax anywhere for generating reg keys so thanks for your reply.

The first command to generate a new registration key works fine.

The second command gives me an error...

Screenshot 2022-04-21 180330.png

If I run:

> show user name mattdunn show-certificates true

...then it returns all of my user info, including a line showing the cert registration key, so it seems there's something funky not quite right with the --format switch?  Do you have any ideas?

Cheers,

Matt

0 Kudos
StuartGreen
Employee
Employee

Hmm, that's odd. Works ok for me on R81.10 management:

Screenshot 2022-04-21 at 20.06.48.png

The > at the start of your second line makes it look like there are some unbalanced quotes in there. The only quotes should be those around the value after jq. Single quotes around the whole string and double quotes around registration-key. 

Try it without the | jq bit and you should just get the JSON format output from the mgmt_cli command. 

0 Kudos
biskit
Advisor

I'm on R81.10 too, using the Command Line accessible from SmartConsole in this instance.

I'm running:

show user name mattdunn show-certificates true --format json | jq '.certificates[0]."registration-key"'

 

I copy/pasted from your original post so I know I have the correct quote symbols...  With or without the | jq part I still get the error about missing parameters.  Odd.  I'll keep having a play and see what I come up with... 😀

0 Kudos
biskit
Advisor

Ah!!  Just for a laugh I tried exactly the same command from a normal SSH session instead and it works!  I'm not sure what the difference is, but happy days 😀

Thanks for your help!

Screenshot 2022-04-22 084828.png

0 Kudos
StuartGreen
Employee
Employee

awesome news 🙂

 

The CLI in Smart Console is fine for pure API commands, but because the JQ tool is an external tool (eg, not part of mgmt_cli) you'll need to call that from an expert mode session. I'd guess that the Smart Console terminal tried to interpret the pipe and everything after it as API arguments.

0 Kudos
biskit
Advisor

I've since hit another snag which I'm trying to work around...  I've found if the user has already got a cert issued, or has had one in the past, a record of those active/revoked certs is still in the user details (if you run the show command without the json filter on the end), so in that case, even though somewhere in the user info output there is a new Registration Key code, your command just returns "null".

So it seems to only work for the very first time you issue a cert.  If you want to revoke and issue another code the "show" command doesn't work.  I presume there's a way to essentially do the equivalent of a | grep registration-key to show the code?

I'm useless at API/json commands but I'll have a Google and see what I can find... 

Cheers,

Matt

0 Kudos
StuartGreen
Employee
Employee

ahh yes you'll need to apply some filtering either in your script or with JQ. JQ can be a really useful tool, but sometimes it's not very friendly. If as part of your script for creating the registration key you create a random string for the comment (or at least something unique that can identity the new reg key) you can do something like this...

create the key with the unique comment / token:

 

mgmt_cli -r true set user name tempuser certificates.add.1.registration-key.comment "tempuserNEWKEY22"

Then to get the registration key which matches the unique comment:

mgmt_cli -r true show user name tempuser show-certificates true --format json | jq '.certificates[] | select(.comments == "tempuserNEWKEY22") | ."registration-key"'

 

That will return the reg key that matches the comment you provide. 

0 Kudos
biskit
Advisor

Awesome, thanks Stuart!  I'll do some more testing but that appears to work 😁

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events