Layer7 API Management

  • 1.  How to renew certificates using restman/GMU

    Posted Jan 15, 2019 11:26 AM

    Hi,

     

    can we add new certificates in more than one gateway server and delete the old certificates . i am trying to automate the process of renewal of certificates once they expire.

     

    Thanks,

    Spal.



  • 2.  Re: How to renew certificates using restman/GMU

    Broadcom Employee
    Posted Jan 15, 2019 02:34 PM

    Spal,

     

    Good afternoon. Please let us know if this is for Trusted Certificates or Private keys as both can be automated but the process is different.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support



  • 3.  Re: How to renew certificates using restman/GMU

    Posted Jan 15, 2019 02:41 PM

    Hi Stephen,

     

    Its for Trusted certs.

     

    Thanks,

    Spal



  • 4.  Re: How to renew certificates using restman/GMU

    Broadcom Employee
    Posted Jan 16, 2019 03:36 AM

    Hi Spal,

    maybe have a look at Best way to manage large trusted cert store?  and see if that last answer would work for you?

     

    regards

    Conny



  • 5.  Re: How to renew certificates using restman/GMU

    Posted Jan 16, 2019 10:04 AM

    Hi Conny,

     

    That post is somewhat helpful but i need something in more detail. 

     

    Thanks,

    Spal



  • 6.  Re: How to renew certificates using restman/GMU
    Best Answer

    Broadcom Employee
    Posted Jan 16, 2019 01:58 PM

    Spal,

     

    The restman call to create and update a trusted certificate are outlined below. Please note that the update requires the unique ID that can either be queried against the trusted certificates or you know the ID.

     

    Create a Trusted Certificate:

    HTTP Method: POST

    URL: https://<FQDN or IP of the gateway>:8443/restman/1.0/trustedCertificates

    Payload sample:

    <l7:TrustedCertificate xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Name>supclient</l7:Name>
    <l7:CertificateData>
    <l7:Encoded>
    MIIDBzCCAe+gAwIBAgIJAIFxQWJJSG6zMA0GCSqGSIb3DQEBDAUAMBAxDjAMBgNVBAMTBXN1cGNh
    MB4XDTE4MTIyODE5MzA0MVoXDTIwMTIyNzE5MzA0MVowFDESMBAGA1UEAxMJc3VwY2xpZW50MIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplLLKxqSP6GnrNuSR1+3i1vmsfiLME2iKJlx
    Kh4qF9sNacDAnemymE3YYxlwUva6DpZZwtAFEwnFBSqPfHtuzA8hJqaCfG6bt5pd8Jix2SCpCMA9
    +Uu4MvxXk15l9ys0qDTBNUgLSceRQvFsO2/6aLdcLW3yfvcrTcFSuPOLcSC2aPL/BuFVfSzypV2w
    wuRJ4sVsaamEh/y14wRK9etn/EPaGQUIa8NCVcZWMCIyAZCmPoqNtbSC6HTpFyOBJjbpzZ2hfKgl
    60pqdwZ1IlulL6Qzko6C/8tVWeWK6yZ7FIVZwfImN7vGc/UQ9zUNccYkv+v8ovFqwHHSBUo1CS1a
    6wIDAQABo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUuVHuBm5v
    nEl4r3395reFyTBQ45QwHwYDVR0jBBgwFoAUzNmFRB6HC1W7QP14IlFuBkjcCbEwDQYJKoZIhvcN
    AQEMBQADggEBAHBXD9QKlk6m/QEPQM+wvWi+ZGXP/KWzFnyggN2CI69sflNnCJZwe60FeNRhvTYt
    nVOReRGfLv41TbLOuVIsDfWw2WFFDPM7iKlr+vBaXHkkLvYfQR7m/H+mWarn/NxH/8wunBhP1Hn+
    kpJb4+dX+RKYwpn5r0XFGCTpXJ1S2CCjHSAv8EqbELa7AyhmbP2EqeeEWGVPSQqT9f1AiyfVhZzB
    WTrb+mJk0ftvuOvYp5lPJ+9tT/fDPTViq4F33lU5uprw1tqq+AnYp1kEWdZmBMxoTbCYnR2EdcDN
    7oIUP7WMWrTZlpGUurlGAB2u0FnUu7BXLQzvZBOhHRkcbt9RX8o=
    </l7:Encoded>
    </l7:CertificateData>
    <l7:Properties>
    <l7:Property key="revocationCheckingEnabled">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustAnchor">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedAsSamlAttestingEntity">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedAsSamlIssuer">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedForSigningClientCerts">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedForSigningServerCerts">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedForSsl">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="verifyHostname">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    </l7:Properties>
    </l7:TrustedCertificate>

     

    Query to get the ID for the Trusted Certificate (Note: ID is in bold italic below):

    HTTP Method: GET

    URL: https://<FQDN or IP of the gateway>:8443/restman/1.0/trustedCertificates?name=supclient

    Response sample:

    <l7:List xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Name>TRUSTED_CERT List</l7:Name>
    <l7:Type>List</l7:Type>
    <l7:TimeStamp>2019-01-16T10:54:22.977-08:00</l7:TimeStamp>
    <l7:Link rel="self" uri="https://supdemo-ssg93.ca.com:8443/restman/1.0/trustedCertificates?name=supclient"/>
    <l7:Link rel="template" uri="https://supdemo-ssg93.ca.com:8443/restman/1.0/trustedCertificates/template"/>
    <l7:Item>
    <l7:Name>supclient</l7:Name>
    <l7:Id>f5b0ae906adf863041c633666f1921c3</l7:Id>

    ......

    </l7:List>

     

    Update a Trusted Certificate (Replace the Encoded element with the new value between BEGIN and END certificate):

    HTTP Method: PUT

    URL: https://<FQDN or IP of the gateway>:8443/restman/1.0/trustedCertificates/f5b0ae906adf863041c633666f1921c3

    Payload sample:

    <l7:TrustedCertificate xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Name>supclient</l7:Name>
    <l7:CertificateData>
    <l7:Encoded>
    MIIDBzCCAe+gAwIBAgIJAL2M54tPnc81MA0GCSqGSIb3DQEBDAUAMBAxDjAMBgNVBAMTBXN1cGNh
    MB4XDTE5MDExNjE3MzIzNVoXDTIxMDExNTE3MzIzNVowFDESMBAGA1UEAxMJc3VwY2xpZW50MIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAplLLKxqSP6GnrNuSR1+3i1vmsfiLME2iKJlx
    Kh4qF9sNacDAnemymE3YYxlwUva6DpZZwtAFEwnFBSqPfHtuzA8hJqaCfG6bt5pd8Jix2SCpCMA9
    +Uu4MvxXk15l9ys0qDTBNUgLSceRQvFsO2/6aLdcLW3yfvcrTcFSuPOLcSC2aPL/BuFVfSzypV2w
    wuRJ4sVsaamEh/y14wRK9etn/EPaGQUIa8NCVcZWMCIyAZCmPoqNtbSC6HTpFyOBJjbpzZ2hfKgl
    60pqdwZ1IlulL6Qzko6C/8tVWeWK6yZ7FIVZwfImN7vGc/UQ9zUNccYkv+v8ovFqwHHSBUo1CS1a
    6wIDAQABo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUuVHuBm5v
    nEl4r3395reFyTBQ45QwHwYDVR0jBBgwFoAUzNmFRB6HC1W7QP14IlFuBkjcCbEwDQYJKoZIhvcN
    AQEMBQADggEBAIMGYwNmtthlKVBoNdnJqFI3OCjdkYr7Fjttt7P4LLSsvMwDY4Iz0WYnSeLsqSQy
    Vsvs/SpDnujTswx1xutI1HdIfgEnNIGGHFnms+Ojmp/F7M8qqYSxav1e2gqZxmdawdZjaR17tBhc
    tyum/0DUDQ5AXcqs1S+HNNJV1c4S3DFz4X/yup02b6kaAsjJDJki8LTPERjA07N4CTU6VhaTSaxZ
    LvYpVVNY+irnS9p1nSvGIUj+ofQBp34JCyjQtTCdVI3LU0HUio6T/T4ew3qbtMdbvU6E584AmCaE
    LtPiyIYT8ty+xwL9xsGwMpWxn9APB2KocWyiloNmBP6j8c+1S2E=
    </l7:Encoded>
    </l7:CertificateData>
    <l7:Properties>
    <l7:Property key="revocationCheckingEnabled">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustAnchor">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedAsSamlAttestingEntity">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedAsSamlIssuer">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedForSigningClientCerts">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedForSigningServerCerts">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="trustedForSsl">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    <l7:Property key="verifyHostname">
    <l7:BooleanValue>false</l7:BooleanValue>
    </l7:Property>
    </l7:Properties>
    </l7:TrustedCertificate>

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support



  • 7.  Re: How to renew certificates using restman/GMU

    Posted Jan 17, 2019 04:12 PM

    Hi Stephen,

     

    Thank you for the information. it was very helpful. 

     

    I got another question related to private keys. 

     

    how do we update a private key? or replace a private key?

     

    Thanks,

    Spal



  • 8.  Re: How to renew certificates using restman/GMU

    Broadcom Employee
    Posted Jan 17, 2019 06:45 PM

    Spal,

     

    Please review these other posts for the private key:

     

    Create Private Key via RESTMAN API 

    RESTMAN API for Private Keys 

    Set private key as default using restman API 

    Import private key through REST API 

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support