Reply

Use REST API to configure ssl cert for infoblox grid

Techie
Posts: 3
708     0

Hello.  I am trying to write a script that performs post provisioning tasks on deployed infoblox instances.  Part of this task involves installing several CA certs as well as an ssl certificate for https .  I have been able to install the CA certs using the example provided in the wapidoc documentation:

Spoiler
To upload the CA certificate, you first initialize the data upload procedure. To initialize the data upload procedure, call the fileop datauploadinit function that returns the URL of the destination file and the token that will be used in the certificate upload operations, as follows:

curl -H "Content-Type:application/json" -k -u admin:infoblox -X POST \ https://127.0.0.1/wapi/v2.10.1/fileop?_function=uploadinit -d '{}' The server will return URL for direct upload and file token to use in fileop function calls: { "token": "eJydUMtOwzAQvO+...", "url": "https://127.0.0.1/http_direct_file_io/..." }

Using curl we can upload contents of the CA certificate (ca.cert.pem) to a URL returned from datauploadinit operation:

curl -k1 -u admin:infoblox -F file=@ca.cert.pem \ "https://127.0.0.1/http_direct_file_io/..."

To upload the CA certificate (cacertificate), call the fileop uploadcertificate function with the certificate_usage parameter set to EAP_CA, member set to a desired member hostname, and token set to a token value returned by a fileop datauploadinit function call, as follows:

curl -k1 -u admin:infoblox -X POST -H "Content-Type: application/json" \ https://127.0.0.1/wapi/v2.10.1/fileop?_function=uploadcertificate -d \ '{ "certificate_usage": "EAP_CA", "member": "infoblox.localdomain", "token": "eJydUMtOwzAQvO+..." }'

The server will return empty dictionary if operation succeeds: {}

However, I cannot seem to determine how to perform the same task with the ssl certificate.  I have tried performing the same task with the ssl cert, but I keep getting this error:

The certificate does not belong to a Certificate Authority

What am I doing wrong?  What do I need to do different?

Re: Use REST API to configure ssl cert for infoblox grid

Community Manager
Community Manager
Posts: 144
708     0

The grid will not allow import of a certificate if it doesn't match a CSR generated within the grid.  You will need to make a CSR on the grid first.  Export that CSR, have it signed by the CA, and then import the signed cert to the grid.

Re: Use REST API to configure ssl cert for infoblox grid

Techie
Posts: 3
708     0

So, what you are telling me is that we would have to generate the certificate after infoblox has been deployed.  We can't create a CSR ourselves and generate a certificate that way.  You might want to consider adding functionality which allows users to import csr's that are generated outside infoblox in a future release, as this prevents us from being able to automate this part of the deployment, which is upsetting to say the least.

Re: Use REST API to configure ssl cert for infoblox grid

Authority
Posts: 11
708     0

You can automate the CSR generation on the Grid using REST API:

POST 'https://x.x.x.x/wapi/v2.10/fileop?generatecsr' 

{

    'algorithm':'SHA-256',

    'email':'admin@example.com',

    'certificate_usage':'ADMIN'
}

 

The syntax might not be 100% correct, I am trying to recall it from memory, but check the API documentation on using the 'fileop' object, it should allow you to generate a CSR, download it, sign it, then upload the signed certificate also using fileop. 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You