vADC Forum

Reply
New Contributor
Posts: 4
Registered: ‎02-13-2013
Accepted Solution

Can't import an SSL Certificate through the CLI

I'm trying to import an ssl certificate through the CLI using:



Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "/tmp/example.local.pem", public_cert: "/tmp/example.local.cert" } ]



But I get the error message:



Private key for 'Example Certificate' does not appear to be a valid RSA private key in PEM format.



I can import the certificate fine through the web ui and the riverbed cert tool says the certificate is fine.

Am I missing something?

New Contributor
Posts: 4
Registered: ‎02-13-2013

Re: Can't import an SSL Certificate through the CLI

So I've dug through the perl and it looks like I should be passing through the content of those files.

Brocadian
Posts: 230
Registered: ‎11-29-2012

Re: Re: Can't import an SSL Certificate through the CLI

Dean

    When I see this error in the GUI (which is really doing the same thing AFAIK) I usually convert the key format using openssl:

Try this and see how you go....


openssl rsa -in my-private-key.pem -text


New Contributor
Posts: 4
Registered: ‎02-13-2013

Re: Can't import an SSL Certificate through the CLI

The issue does seem to be you need to provide the contents of the key file to zcli. Now I can't work out how to split a command over multiple lines. If I try inputting the key and certificate as one line the riverbed cert tool fails to recognise them as being valid. It outputs:


Error reading key file:Invalid format, no '-----END' found


Brocadian
Posts: 230
Registered: ‎11-29-2012

Re: Can't import an SSL Certificate through the CLI

I tried the command with the key and cert on a single line and no joy (*):

* Before anyone comments on me posting a private key file in a forum, it is a test key created for this exercise..


Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "-----BEGIN RSA PRIVATE KEY-----MIICXAIBAAKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABAoGAcwmwtlh1PJSgBxcrsZjWN2zusvPTjyIAZiJqhboGHiW93+sge3NY9DZxvBQcYogDCcGN5R4cV1f0zRle5Pvf6RuycRQQuMdw9MFgp31QkuGt+I5/cIRr3WxUyEnlIk96twbK5l+O2hufY2iveZDDGYJ/Tnh3VxLPktdzmC5AXAECQQDYShZlo8Ya0o9OucPg6ZTnGEucqMg76cxSx2Tpb7KrT10KG5cbVO8ihVhWfCX5bth+5XlUQj35tsTsj7fQdDl3AkEAzKDdzzf0eUKMfoe1K+jAtyr8CihjpGr15/twgXPKIOVhE9BTTXBeDifuhIQOitKfKpPz4ueZNCHI4HBKt/RHwQJAF223DV13KRKj2VhAAo3qxjmYfyi9P9gsfM8CfFLQHMRlBKJGdPx3RtsA3aVnC6TZKK28vcbLJdCJdkJ/G8JrMwJAVMiqXrtebgem0p5D8KeFgd8rgsHtVyiCLtY9bUWekDa6HE2K1mEid1cQOpPEurw9+pRGztMK5VDCPEwKiWGLgQJBAMe9VRSd3SqnRxaanpNWhVqoa9t+x+Co2TrkelZNJaVERgLJlvfQNMBlyo0rj5xik6akOkgUqq7etR7JJgbCZKI=-----END RSA PRIVATE KEY-----", public_cert: "-----BEGIN CERTIFICATE-----MIIC7zCCAdegAwIBAgIGATzTkTGBMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAkFVMRIwEAYDVQQKDAlzbnJrbC5vcmcxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxjYS5zbnJrbC5vcmcwHhcNMTMwMjEzMTIzOTMzWhcNMTQwMjEzMTIzOTM0WjAnMQswCQYDVQQGEwJBVTEYMBYGA1UEAwwPd3d3LndlYnNpdGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABo3IwcDAfBgNVHSMEGDAWgBQ7O1i+1WtMYU26+JwmpfzSL4ERPDAdBgNVHQ4EFgQUgdbhZG/tYACaSBjiP/frUwlt53MwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBACJR9Jhg6ga7usSkzR1ODA7HVNqVvNCKulGLvn4JWuDejpoF+1/M492/6MJwVpp4wIfFw/azBLgm7JWiTKqrfiMzd9+yS78PLJmUdFqWdjlB5vPISdGmQGdXwTh9CQHZL4dta5mhLydADn1gcBCq8L4cddFx7ZcK1CCC/w1kSYdvi6ajbaV1GKzlqc9Q7n4sgrTBcbLnloDI3lYLUlYz1hckDNoIXHY1fE944ewgU9SIgrOOqAqtpLlCfB9ww58k5nynleGaSefgsUxRloOh0MtFtNivf044VkKcG6jo0ROkkpwDt31ma2ddEEuwB7gqSx6h6XhzTKDcTIv3M+83LFc=-----END CERTIFICATE-----" } ] 


I get an error also:


certificate and private key for 'Example Certificate' do not match (Certificate/private key pre-check failed: Error reading key file:Invalid format, no '-----END' found


New Contributor
Posts: 4
Registered: ‎02-13-2013

Re: Can't import an SSL Certificate through the CLI

So the way to handle this is you need to pass in the file contents and you need to escape new lines so the command ends up looking something like:


Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "-----BEGIN RSA PRIVATE KEY-----\nkey\ncontents\nhere\n-----END RSA PRIVATE KEY-----", public_cert: "-----BEGIN CERTIFICATE-----\ncertificate\ncontents\here\n-----END CERTIFICATE-----" } ]



Would be nice if this were changed so we could just reference the files.

Brocadian
Posts: 230
Registered: ‎11-29-2012

Re: Can't import an SSL Certificate through the CLI

Dean,

     Nice catch.. I tested it, and the only newlines you need are at the end of the ---BEGIN--- and ---END--- lines, so this worked too:


Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABAoGAcwmwtlh1PJSgBxcrsZjWN2zusvPTjyIAZiJqhboGHiW93+sge3NY9DZxvBQcYogDCcGN5R4cV1f0zRle5Pvf6RuycRQQuMdw9MFgp31QkuGt+I5/cIRr3WxUyEnlIk96twbK5l+O2hufY2iveZDDGYJ/Tnh3VxLPktdzmC5AXAECQQDYShZlo8Ya0o9OucPg6ZTnGEucqMg76cxSx2Tpb7KrT10KG5cbVO8ihVhWfCX5bth+5XlUQj35tsTsj7fQdDl3AkEAzKDdzzf0eUKMfoe1K+jAtyr8CihjpGr15/twgXPKIOVhE9BTTXBeDifuhIQOitKfKpPz4ueZNCHI4HBKt/RHwQJAF223DV13KRKj2VhAAo3qxjmYfyi9P9gsfM8CfFLQHMRlBKJGdPx3RtsA3aVnC6TZKK28vcbLJdCJdkJ/G8JrMwJAVMiqXrtebgem0p5D8KeFgd8rgsHtVyiCLtY9bUWekDa6HE2K1mEid1cQOpPEurw9+pRGztMK5VDCPEwKiWGLgQJBAMe9VRSd3SqnRxaanpNWhVqoa9t+x+Co2TrkelZNJaVERgLJlvfQNMBlyo0rj5xik6akOkgUqq7etR7JJgbCZKI=\n-----END RSA PRIVATE KEY-----", public_cert: "-----BEGIN CERTIFICATE-----\nMIIC7zCCAdegAwIBAgIGATzTkTGBMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAkFVMRIwEAYDVQQKDAlzbnJrbC5vcmcxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxjYS5zbnJrbC5vcmcwHhcNMTMwMjEzMTIzOTMzWhcNMTQwMjEzMTIzOTM0WjAnMQswCQYDVQQGEwJBVTEYMBYGA1UEAwwPd3d3LndlYnNpdGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABo3IwcDAfBgNVHSMEGDAWgBQ7O1i+1WtMYU26+JwmpfzSL4ERPDAdBgNVHQ4EFgQUgdbhZG/tYACaSBjiP/frUwlt53MwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBACJR9Jhg6ga7usSkzR1ODA7HVNqVvNCKulGLvn4JWuDejpoF+1/M492/6MJwVpp4wIfFw/azBLgm7JWiTKqrfiMzd9+yS78PLJmUdFqWdjlB5vPISdGmQGdXwTh9CQHZL4dta5mhLydADn1gcBCq8L4cddFx7ZcK1CCC/w1kSYdvi6ajbaV1GKzlqc9Q7n4sgrTBcbLnloDI3lYLUlYz1hckDNoIXHY1fE944ewgU9SIgrOOqAqtpLlCfB9ww58k5nynleGaSefgsUxRloOh0MtFtNivf044VkKcG6jo0ROkkpwDt31ma2ddEEuwB7gqSx6h6XhzTKDcTIv3M+83LFc=\n-----END CERTIFICATE-----" } ]


ZCLI is actually written to use the SOAP API on the STM.  I am sure you could mod yours to parse the file in rather than the string if you wanted to...

Brocadian
Posts: 55
Registered: ‎06-28-2012

Re: Can't import an SSL Certificate through the CLI

You can use a file in the file system, but the syntax for this is slightly on the cryptic side:

Catalog.SSL.Certificates.importCertificate example {private_key:<("example.private"), public_cert:<("example.public") }

This assumes that the files are in the current working directory; absolute file names should also work.

Brocadian
Posts: 230
Registered: ‎11-29-2012

Re: Re: Can't import an SSL Certificate through the CLI

Michael Granzow also showed me something I hadn't seen before in zcli: the help syntax command


admin@127.0.0.1 > help syntax                               


Syntax for entering commands


Class.method arg1 arg2 arg3 ...




Arguments are space or comma-separated. Arguments with spaces, or with non-alphanumeric characters such as ":,|{}[]()'" characters, should be "quoted".





Many commands take a list of arguments, often corresponding to a list of objects (e.g. Virtual Servers). Lists should be put in square brackets, e.g.




VirtualServer.setTimeout [ "VS 1", "VS 2" ], [ 25, 30 ]





Commas between arguments are optional. As a shortcut, if the command expects a list but you are just giving one argument, you do not need to put the brackets around the arguments,


this will be performed for you, e.g. the following two commands are identical:




Pool.setKeepalive Intranet 1


Pool.setKeepalive [ Intranet ] [ 1 ]





Some commands expect structures with keys and values. These are entered using { } and using a ':' suffix on each key, e.g.




System.Stats.getNodeErrors { Address: 10.100.1.2, Port: 53 }





Wildcards are allowed for many functions. A '*' symbol will match multiple objects and also multiple commands (but they must have the same inputs), e.g.




Pool.getNodes *


VirtualServer.getPort System*


System.Stats.getWebCache*





String arguments can be read in from files on disk.  You can read the content of a file as an argument using the <(filename) operator:




Catalog.SSL.CertificateAuthorities.importCertificateAuthority "my CA" <(~/CAs/myCA.pem)


System.LicenseKeys.addLicenseKeys <(/tmp/mylicense.txt)





Finally, you can pipe the output to a UNIX command from the commandline. For example, if your terminal is not large enough to read all of the output from a command, try appending


'| more' to the end of the command, e.g.




help syntax | more



Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.