- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Use REST API to configure ssl cert for infoblox grid
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2021 12:49 PM
Hello. I am trying to write a script that performs post provisioning tasks on deployed infoblox instances. Part of this task involves installing several CA certs as well as an ssl certificate for https . I have been able to install the CA certs using the example provided in the wapidoc documentation:
curl -H "Content-Type:application/json" -k -u admin:infoblox -X POST \ https://127.0.0.1/wapi/v2.10.1/fileop?_function=uploadinit -d '{}' The server will return URL for direct upload and file token to use in fileop function calls: { "token": "eJydUMtOwzAQvO+...", "url": "https://127.0.0.1/http_direct_file_io/..." }
Using curl we can upload contents of the CA certificate (ca.cert.pem) to a URL returned from datauploadinit operation:
curl -k1 -u admin:infoblox -F file=@ca.cert.pem \ "https://127.0.0.1/http_direct_file_io/..."
To upload the CA certificate (cacertificate), call the fileop uploadcertificate function with the certificate_usage parameter set to EAP_CA, member set to a desired member hostname, and token set to a token value returned by a fileop datauploadinit function call, as follows:
curl -k1 -u admin:infoblox -X POST -H "Content-Type: application/json" \ https://127.0.0.1/wapi/v2.10.1/fileop?_function=uploadcertificate -d \ '{ "certificate_usage": "EAP_CA", "member": "infoblox.localdomain", "token": "eJydUMtOwzAQvO+..." }'
The server will return empty dictionary if operation succeeds: {}
However, I cannot seem to determine how to perform the same task with the ssl certificate. I have tried performing the same task with the ssl cert, but I keep getting this error:
The certificate does not belong to a Certificate Authority
What am I doing wrong? What do I need to do different?
Re: Use REST API to configure ssl cert for infoblox grid
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2021 12:55 PM
The grid will not allow import of a certificate if it doesn't match a CSR generated within the grid. You will need to make a CSR on the grid first. Export that CSR, have it signed by the CA, and then import the signed cert to the grid.
Re: Use REST API to configure ssl cert for infoblox grid
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2021 07:38 AM
So, what you are telling me is that we would have to generate the certificate after infoblox has been deployed. We can't create a CSR ourselves and generate a certificate that way. You might want to consider adding functionality which allows users to import csr's that are generated outside infoblox in a future release, as this prevents us from being able to automate this part of the deployment, which is upsetting to say the least.
Re: Use REST API to configure ssl cert for infoblox grid
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-07-2021 07:19 AM
You can automate the CSR generation on the Grid using REST API:
POST 'https://x.x.x.x/wapi/v2.10/fileop?generatecsr'
{
'algorithm':'SHA-256',
'email':'admin@example.com',
'certificate_usage':'ADMIN'
}
The syntax might not be 100% correct, I am trying to recall it from memory, but check the API documentation on using the 'fileop' object, it should allow you to generate a CSR, download it, sign it, then upload the signed certificate also using fileop.