Layer7 API Management

Hi 

I have some questions regarding the possibility to import private-keys through restman API of Layer7: 

1. How can I create the text content of <l7:Pkcs12Data> without manually import/export the key first? 
   I ask because the content of the element <l7:Pkcs12Data> inside <l7:PrivateKeyImportContext> is text. PKCS12 is binary and when I try to simply convert it to Base64 the result is not the same as when I manually import the private key and then export it through restman.
2. Is it possible to import a private-key and at the same time mark it as default SSL key (special purpose)?
   I would like to do this in one request.

Thanks

Stephan

Stephan,

1) How can I create the text content of <l7:Pkcs12Data> without manually import/export the key first? 
Response: Commands to generate a Base64 output of the PKCS12 file

Linux:
base64 <file for PKCS12> > b64output.txt

Windows (Note: take the value between the BEGIN and END Certificate in the output file):
certutil -encode inputFileName encodedOutputFileName

JAVA (Note: that will also build the XML):
String data = new String(BASE64EncoderStream.encode(IOUtils.slurpStream( this.getClass().getResourceAsStream( "testkey.p12" ) )));
String privateKeyImport = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\n" +
        "<l7:PrivateKeyImportContext xmlns:l7=\"http://ns.l7tech.com/2010/04/gateway-management\">\n" +
        "    <l7:Pkcs12Data>"+data+"</l7:Pkcs12Data>\n" +
        "    <l7:Alias>testkey</l7:Alias>\n" +
        "    <l7:Password></l7:Password>\n" +
        "</l7:PrivateKeyImportContext>";

System.out.println(privateKeyImport);

b) URL to import the Private Key (PKCS12)
POST https://<gateway>:8443/restman/1.0/privateKeys/00000000000000000000000000000002:<alias name>/import

Header(s) required:
Content-Type = application/xml and Authorization = Base64 value of user and password

Payload for the private key
<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Pkcs12Data>{base64 of the PKCS12}</l7:Pkcs12Data>
    <l7:Password>{Password for the PKCS12}</l7:Password>
</l7:PrivateKeyImportContext>

__________________________________________________________________________________________________

2) Is it possible to import a private-key and at the same time mark it as default SSL key (special purpose)?
I would like to do this in one request.

Response: To update the Private Key with a Special Purpose which can not be done at the time of the import (Note: This will also require a restart of the Gateway to pick up the change):
URL to Update Private Key setting:
PUT https://<gateway>:8443/restman/1.0/privateKeys/00000000000000000000000000000002:{alias name}/specialPurpose?purpose=SSL
Header(s) required:
Authorization = Base64 value of user and password

Sincerely,

Stephen Hughes

Director, CA Support

Stephen, thank you very much for the reply to this thread; it helped me with a client trying to automate the process of creating new SSL keys upon expiration. The client would now like to automate the process of updating a Private Key's certificate chain. The docs say this is possible but leave little on how to do this, as there is no example payload. Do you have an example Payload similar to the one provided above to complete an update on an expired cert as opposed to importing a new one? Any assistance will be much appreciated.

Kevin

Hi Kevin_Masingale

Use the URL 

PUT  https://<gateway>:8443/restman/1.0/privateKeys/00000000000000000000000000000002:<alias name>

To get an example payload for the request (an element of type <l7:PrivateKey>), use the same URL with a GET request against an existing private key on your gateway. 

It looks something like this: 

<l7:PrivateKey alias="myKeyAlias" keystoreId="00000000000000000000000000000002" id="00000000000000000000000000000002:myKeyAlias">
 <l7:CertificateChain>
 <l7:CertificateData>
 <l7:IssuerName>CN=...</l7:IssuerName>
 <l7:SerialNumber>...</l7:SerialNumber>
 <l7:SubjectName>CN=...</l7:SubjectName>
 <l7:Encoded>...</l7:Encoded>
 </l7:CertificateData>
 </l7:CertificateChain>
 <l7:Properties>
 <l7:Property key="keyAlgorithm">
 <l7:StringValue>RSA</l7:StringValue>
 </l7:Property>
 </l7:Properties>
</l7:PrivateKey>

Regards

Stephan

Thank you very much for the reply stephan.burkard. I tried doing that prior to writing this question to no avail. It was failing with the following detail in the error: 

<l7:Detail>HTTP 400 Bad Request. Caused by: The prefix &quot;l7&quot; for element &quot;l7:PrivateKey&quot; is not bound.</l7:Detail>

This is why I was hoping to get a sample Payload from Stephen to see what I may be doing wrong. I will continue to look into the payload to see if there is something I am missing and appreciate your help if you can think of anything I may be doing wrong. 

Thanks and Regards,

Kevin

Ok, I got to the bottom of it just after posting the above. I needed to add the proper namespace to the payload. I added xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management" to the top of the payload after the <l7:PrivateKey tag and all is well. Thank you for your help.

Kevin

Hi Stephen,

I am trying to update an existing private key , i tried the put call to https://localhost:8443/restman/1.0/privateKeys/{id} but i get an error 500.

can you help me with a sample request to update an existing private key.

The restman document doesnt provide sample requests. 

Thanks,

Spal

Spal,

Please review this post as it outlines what you are looking for and the current limitation.

RESTMAN privateKeys import 

Sincerely,

Stephen Hughes

Broadcom Support