Layer7 API Management

Expand all | Collapse all

How do I create a private key in an automated fashion?

Jump to Best Answer
  • 1.  How do I create a private key in an automated fashion?

    Posted 01-04-2017 04:11 PM

    I am trying to fully automate the maintenance of the CA API Gateway and I am looking for a way to load a private key using restman call from ansible.

     

    I pass the user off to get a certificate, and am returned the certificate is several formats.  Before I start writing shell scripts to parse out a file, I was wondering if anyone else has already tacked this beast, or any similar restman call that would use the X509 certificates. FYI, The identity with the certificate is stored in the LDAP if that does provide a simpler way to implement a solution.

     

    thanks

    #caapigateway



  • 2.  Re: How do I create a private key in an automated fashion?

    Posted 01-04-2017 07:07 PM

    Michael,

     

    Good evening. Please review this post Import private key through REST API  and let me know if it answers your question.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: How do I create a private key in an automated fashion?
    Best Answer

    Posted 01-05-2017 04:54 AM

    We have indeed automated 90% of all APi Gateway functionnalities, developing a shell framework.

    Here's the injection code for the automated private key creation 'create Private Key' on the Policy Manager.

     


    function createPrivateKey {

    TEMP=`getopt -o s:e:c --long size:,expirydays:,cacapable -n 'createPrivateKey' -- "$@"`
    if [ $? != 0 ] ; then echo "Terminating..." >&2 ; return 0 ; fi
    eval set -- "$TEMP"

    local rsaKeySize="2048"
    local expiryDays="365"
    local caCapable="false"
    while true; do
    case "$1" in
    -s | --size) rsaKeySize="$2"; shift 2 ;;
    -e | --expirydays) expirydays="$2"; shift 2 ;;
    -c | --cacapable) caCapable="true"; shift ;;
    --) shift; break ;;
    *) break ;;
    esac
    done

    local keyAlias="$1"

    getPrivateKeys
    local keyCount=$(getXPathCount "/l7:List/l7:Item[l7:Name='${keyAlias}']")

    if [[ "${keyCount}" == "0" ]]; then
    local xml="\
    <l7:PrivateKeyCreationContext xmlns:l7='http://ns.l7tech.com/2010/04/gateway-management'> \
    <l7:Dn>CN=${keyAlias}</l7:Dn> \
    <l7:Properties> \
    <l7:Property key='caCapable'> \
    <l7:BooleanValue>${caCapable}</l7:BooleanValue> \
    </l7:Property> \
    <l7:Property key='daysUntilExpiry'> \
    <l7:IntegerValue>${expiryDays}</l7:IntegerValue> \
    </l7:Property> \
    <!-- <l7:Property key='ecName'> \
    <l7:StringValue>secp384r1</l7:StringValue> \
    </l7:Property> --> \
    <l7:Property key='rsaKeySize'> \
    <l7:IntegerValue>${rsaKeySize}</l7:IntegerValue> \
    </l7:Property> \
    <l7:Property key='signatureHashAlgorithm'> \
    <l7:StringValue>SHA512</l7:StringValue> \
    </l7:Property> \
    </l7:Properties> \
    </l7:PrivateKeyCreationContext>"
    callPOSTService "${IDENTPROV}/privateKeys/00000000000000000000000000000002:${keyAlias}" "${xml}"
    local retKeyId=`getXPathValue "/l7:Item/l7:Id/text()"`
    if [[ "${retKeyId}" != "" ]]; then
    [ -n "${DEBUG}" ] && echo " -> Private key '${keyAlias}' created" >&2
    return 1
    fi
    else
    echo "Error private key '${keyAlias}' already exists"
    return 0
    fi
    }

     

    function getPrivateKeys {
    local keyName="$1"
    if [ -z "${keyName}" ]; then
    callGETService "/privateKeys"
    else
    callGETService "/privateKeys?alias=${keyName}"
    fi
    local c=`getXPathCount "/l7:List/l7:Item/l7:Name"`
    return ${c}
    }

    If you want now to insert a user's Public key into its account information so that he can log in using it's own Certificate, use this:

     

    function setUserCertificate {
    TEMP=`getopt -o d --long delete -n 'setUserCertificate' -- "$@"`
    if [ $? != 0 ] ; then echo "Terminating..." >&2 ; return 0 ; fi
    eval set -- "$TEMP"

    local deleteCert=0
    while true; do
    case "$1" in
    -d | --delete) deleteCert=1; shift ;;
    --) shift; break ;;
    *) break ;;
    esac
    done

    local userName=$1
    local certPEM=$2

    local userId=$(getUserId "${userName}")
    if [ -n "${userId}" ]; then
    [ $deleteCert == 1 ] && removeUserCertificate "${userName}"
    local xml="\
    <l7:CertificateData xmlns:l7='http://ns.l7tech.com/2010/04/gateway-management'> \
    <l7:Encoded>${certPEM}</l7:Encoded> \
    </l7:CertificateData>"
    callPUTService "${IDENTPROV}/users/${userId}/certificate" "${xml}"
    local c=`getXPathCount "/l7:Item/l7:Name"`
    return ${c}
    fi
    return 0
    }

     

    You can surely figure out missing functions we developed, nothing extraordinary here.

    Tricky functions might be getXPathCount and getXPathText though (hint: xml_grep is a must have).