Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 4 subscribers
  • Views 23373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS validation CA upload via RESTful API

Sven Anders

Hello!

 

Because we have to upload many HTTPS validation CAs to the UTM and the UTM does not have

an option to upload more than one CA at a time, we wrote a small script which uses the RESTful API.

 

The script works fine and I can see all uploaded CAs in the list of

  Web Protection -> Filtering Options -> HTTPS CAs -> Local verification CAs

 

The only problem is: The UTM does not use these added CAs!

 

What do I have to do?

 

If I upload the CAs manually, it works. So the GUI must do anything that is not shown by

"confd-watch.plx -v".

 

Regards

 Sven Anders

 

 



This thread was automatically locked due to age.
  • 0

    Hi, Sven, and welcome to the UTM Community!

    I only know how to do this with:

    cc ca_import_verification_ca CA_NAME <pem> http_verification_ca

    I don't how to do that with the RESTful API.

    Cheers - Bob

    EDIT 2017-10-02 I left out the name to assign to the new CA. <pem> is the file name

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    And does this command works for you? I always get this error when I try

      'attrs' => [

                          'reason'

                        ],

             'class' => 'ca',

             'fatal' => 1,

             'format' => 'Cannot import: certificate malformed (%s).',

             'msgtype' => 'CA_VERIFICATION_CA_IMPORT_FAILURE',

             'name' => 'Cannot import: certificate malformed (missing attribute).',

             'never_hide' => 0,

             'reason' => 'missing attribute',

             'type' => 'verification_ca'

    Is <PEM> the path to pen file or should be text like "-----BEGIN CERTIFICATE-----\n...."

    Or "-----BEGIN CERTIFICATE-----

    ...

    ....END...."

    ?

    Thank you

  • +1 in reply to Daniel FINATEANU

    Thanks, Daniel, I've corrected the post.  Does that work for you now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Unfortunately it still does not work.

    I get the same error

    Any other ideas?

    Thank you

  • 0 in reply to BAlfson

    Hello!

     

    I need a solution to update the certificate from outside, not on the machine, because we need to update many UTMs at once.

    Therefore this maybe another solution, but not the solution to the real problem that the certificate is added but not used by the UTM.

     

    Regards

     Sven

  • 0 in reply to Daniel FINATEANU

    Daniel, did you specify http_verification_ca?  There are three parameters.  It's been years since I used this, but I'm fairly certain that <pem> is the file name and not the content of the pem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    Yes I did tried with both http_verification_ca and verification_ca (default) but without success.

  • 0 in reply to Sven Anders

    Hi Sven

    Enable api and open the api explorer

    You will need first to update meta x509 for your new certificate and then update the verification_ca.

    Tip: use get methods to see what should be in the fields and use post method to do the updates with new data.

  • 0 in reply to Daniel FINATEANU

    Aehmmm?

     

    Did you (or anybody) read my initial question?

    This script works fine, but the UTM does not use the added certificates...

    I think this is a bug in the UTM, but I need confirmation or a hit what I'm doing wrong...

     

    Regards

     Sven

  • 0 in reply to Sven Anders

    Hi Sven

    Is your script updating both (certificate and ref meta)?

    Otherwise UTM will not notice the change

Unfiltered HTML