Help us enhance your Sophos Community experience. Share your thoughts in our Sophos Community survey.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 14 replies
  • Subscribers 4 subscribers
  • Views 23395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS validation CA upload via RESTful API

Sven Anders

Hello!

 

Because we have to upload many HTTPS validation CAs to the UTM and the UTM does not have

an option to upload more than one CA at a time, we wrote a small script which uses the RESTful API.

 

The script works fine and I can see all uploaded CAs in the list of

  Web Protection -> Filtering Options -> HTTPS CAs -> Local verification CAs

 

The only problem is: The UTM does not use these added CAs!

 

What do I have to do?

 

If I upload the CAs manually, it works. So the GUI must do anything that is not shown by

"confd-watch.plx -v".

 

Regards

 Sven Anders

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Sven, and welcome to the UTM Community!

    I only know how to do this with:

    cc ca_import_verification_ca CA_NAME <pem> http_verification_ca

    I don't how to do that with the RESTful API.

    Cheers - Bob

    EDIT 2017-10-02 I left out the name to assign to the new CA. <pem> is the file name

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi,

    And does this command works for you? I always get this error when I try

      'attrs' => [

                          'reason'

                        ],

             'class' => 'ca',

             'fatal' => 1,

             'format' => 'Cannot import: certificate malformed (%s).',

             'msgtype' => 'CA_VERIFICATION_CA_IMPORT_FAILURE',

             'name' => 'Cannot import: certificate malformed (missing attribute).',

             'never_hide' => 0,

             'reason' => 'missing attribute',

             'type' => 'verification_ca'

    Is <PEM> the path to pen file or should be text like "-----BEGIN CERTIFICATE-----\n...."

    Or "-----BEGIN CERTIFICATE-----

    ...

    ....END...."

    ?

    Thank you

  • +1 in reply to Daniel FINATEANU

    Thanks, Daniel, I've corrected the post.  Does that work for you now?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Unfortunately it still does not work.

    I get the same error

    Any other ideas?

    Thank you

  • 0 in reply to Daniel FINATEANU

    Daniel, did you specify http_verification_ca?  There are three parameters.  It's been years since I used this, but I'm fairly certain that <pem> is the file name and not the content of the pem.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    Yes I did tried with both http_verification_ca and verification_ca (default) but without success.

  • 0 in reply to BAlfson

    Hi Bob,

    Any news regarding this topic? I still cannot get the command working.

    Thank you

Reply Children
  • 0 in reply to Daniel FINATEANU

    Gibt es schon weitere Lösungsansätze? Ich stehe nämlich vor dem gleichen Problem.

  • +1 in reply to ThorstenSult

    Hallo!

     

    Da dieser Thread irgendwie abgedriftet ist und auch eine andere Frage beinhaltet als meine ursprüngliche weiß ich nicht, ob die Lösung auch anderen hilft.

    Die Lösung meines Problems war die folgende:

    Damit die Einträge korrekt sind und auch verwendet werden mußte ich die folgende Option zum Request hinzufügen.

      --header 'X-Restd-Insert: http.ca_list'

    Außerdem hatte ich noch das Problem, daß im gesandten PEM Zertifikat alle newlines in "\n" umgewandelt werden mußten.

    Ich hoffe dies hilft jemandem.

    Gruß

     Sven

Unfiltered HTML