Open krgo opened 6 years ago
Unfortunately the REST API does not support setting the label as an argument - it reads it from the cert file. The reason the function requires a label is to check if the certificate already exists. Maybe we could eliminate that and read the cert file to determine the label - not sure how to do that yet.
Thx for that clarification. It would be nice if the REST API would support to set a label (it is possible through the lmi).
I'll ask in the EAP forums.
I do not see it in the LMI? I just checked - we use the same REST APIs as the LMI does.
Hi,
I found a posibility here: "Manage system settings" -> "SSL Certficiates", select the keystore where you want to add a certificate and choose "Manage" -> "Edit SSL Certificate Database". At the signer certificate tab, select "Manage" -> "Import". Select the PEM file and enter the label. The certificate will have the specified label in the keystore.
I noticed that importing it as a personal certificate, changing the certificate type to PEM and not specifying a password, puts the certificate amongst the "signer certificates" too.
When it comes to personal certificates I can think of two options:
Signer certificates do work different and so do certificates that do not have a private key in them.
The first option would make more sense to me, as in general most tools that deal with certificates in keystores work with labels.
First option needs a python package that will allow for parsing and loading of the personal certificate - for example pyopenssl. I dont see this being handled using standard python.
So if pyopenssl is found - then we could read the cert file and use the label inside it and ignore then one provided. There will be a warning to that effect. Or we could re-write the certificate to have the new label and use that new file.
I am thinking there has to be a better solution...
It seems like ibmsecurity.isam.base.ssl_certificates.personal_certificate.import_cert ignores the specified label if you import a crt file. The certificate is imported as expected, but the label is ignored and in stead, the certificate subject is used as the label.
Example command and output:
ibmsecurity.isam.base.ssl_certificates.personal_certificate.import_cert(appliance, "docker_ldap_certs", "ISAM LDAP server", "/Users/lemming/isam9/certs/ldap.crt", password=None) [14:04:19.1519391059] [INFO] Retrieving personal certificate names and details in a certificate database [14:04:21.1519391061] [INFO] Importing a personal certificate into a certificate database Out[4]: {'status_code': 0, 'changed': True, 'data': '', 'rc': 0, 'warnings': []}