Bootstrap FreeKB - Broadcom API Gateway - Import Private Key using the Gateway Migration Utility
Broadcom API Gateway - Import Private Key using the Gateway Migration Utility
Updated:   |  Broadcom API Gateway articles

This assumes you are familiar with the basic usage of the Gateway Migration Utility. Before you import a private key into the API Gateway, you may want to list the private keys that are already in the API Gateway.

Let's say you have a private key file named foo.pfx.Three pieces of information will need to be gleaned from the PFX file.

  1. The base 64 string of the PFX file (aka the payload)
  2. The CN (canonical name) of the server certificate in the PFX file
  3. The PFX file password

Base 64 string of the PFX file

The base64 command (on Linux) can be used to return the base 64 string of the PFX file.

base64 foo.pfx | sed ':label; N; $! b label; s|\n||g'

 

Something like this should be returned.

MIIbaAIBAzCCGyEGCSqGSIb3DQEHAaCCGxIEghsOMIIbCjCCBeYGCSqGSIb3DQEHAaCCBdcEggXT...

 

CN (canonical name) of the client certificate in the PFX file

The Java keytool command can be used to display the CN in the PFX file.

keytool -keystore foo.pfx -storepass itsasecret -list -v

 

Or, OpenSSL can be used to display the CN of the client certificate.

openssl pkcs12 -in foo.pfx -passin pass:itsasecret -passout pass:itsasecret -nokeys -clcerts

 

XML file

Create an XML file that will be used for the import.

touch import.xml

 

Add the base 64 string, CN, and password to the XML file.

AVOID TROUBLE

The alias in the XML file must be an exact match of the CN (canonical name) in the PFX file, and is CaSe SenSiTiVe. For example, if the CN in the PFX file is all lower case, the alias in the XML file must also be all lower case. If the alias in the XML file is not an exact match of the CN in the PFX file, "Aliases not found" will be returned when attempting the import.

The password cannot contain the & < > special characters. The & < > special character will cause "400 bad request" and "the request sent by the client was syntactically incorrect" to be returned. These characters will need to be converted to &amp; &lt; &gt;

<l7:PrivateKeyImportContext xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
  <l7:Pkcs12Data>MIIbaAIBAzCCGyEGCSqGSIb3DQEHAaCCGxIEghsOMIIbCjCCBeYGCSqGSIb3DQEHAaCCBdcEggXT...</l7:Pkcs12Data>
  <l7:Alias>key001</l7:Alias>
  <l7:Password>itsasecret</l7:Password>
</l7:PrivateKeyImportContext>

 

Then issue this command. Notice here that "foo.example.com" is used. This will be the alias name that is displayed  at "Manage Private Keys" in the API Gateway GUI.

/path/to/GatewayMigrationUtility.sh restman
-argFile example.properties
-method POST
-path '1.0/privateKeys/00000000000000000000000000000002:foo.example.com/import'
-request import.xml

 

Something like this should be returned.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Name>key001</l7:Name>
    <l7:Id>00000000000000000000000000000002:key001</l7:Id>
    <l7:Type>SSG_KEY_ENTRY</l7:Type>
    <l7:TimeStamp>2021-01-27T21:20:23.412-06:00</l7:TimeStamp>
    <l7:Link rel="self" uri="https://apig.example.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:key001"/>
    <l7:Link rel="template" uri="https://apig.example.com:8443/restman/1.0/privateKeys/template"/>
    <l7:Link rel="list" uri="https://apig.example.com:8443/restman/1.0/privateKeys"/>
    <l7:Link rel="templatePrivateKeyImport" uri="https://apig.example.com:8443/restman/1.0/privateKeys/template/privatekeyimportcontext"/>
    <l7:Link rel="templatePrivateKeyExport" uri="https://apig.example.com:8443/restman/1.0/privateKeys/template/privatekeyexportcontext"/>
    <l7:Link rel="templatePrivateKeyCreation" uri="https://apig.example.com:8443/restman/1.0/privateKeys/template/privatekeycreationcontext"/>
    <l7:Link rel="generateCSR" uri="https://apig.example.com:8443/restman/1.0/privateKeys/00000000000000000000000000000002:key001/generateCSR"/>
    <l7:Resource>
        <l7:PrivateKey alias="key001" keystoreId="00000000000000000000000000000002" id="00000000000000000000000000000002:key001">
            <l7:CertificateChain>
                <l7:CertificateData>
                    <l7:IssuerName>CN%3Dexample%2CDC%3Dexample%2CDC%3Dcom</l7:IssuerName>
                    <l7:SerialNumber>123456</l7:SerialNumber>
                    <l7:SubjectName>CN%3Dexample.com%2COU%3DInformation+Technology%2CO%3DExample%2CL%3DAppleton%2CST%3DWI%2CC%3DUS</l7:SubjectName>
                    <l7:Encoded>MIIGrDCCBZSgAwI . . . =</l7:Encoded>
                </l7:CertificateData>
                <l7:CertificateData>
                    <l7:IssuerName>CN%3Dexample</l7:IssuerName>
                    <l7:SerialNumber>123456</l7:SerialNumber>
                    <l7:SubjectName>CN%3Dexample%2CDC%3Dexample%2CDC%3Dcom</l7:SubjectName>
                    <l7:Encoded>MIIFHjCCAwagAwIBAgITdwAAAALgxwSQWnZaBAAAAAA . . . </l7:Encoded>
                </l7:CertificateData>
                <l7:CertificateData>
                    <l7:IssuerName>CN%3Dexample</l7:IssuerName>
                    <l7:SerialNumber>123456</l7:SerialNumber>
                    <l7:SubjectName>CN%3Dexample</l7:SubjectName>
                    <l7:Encoded>MIIFDTCCAvWgAwIBAgIQZDQllOKikIVNvtfushN . . . ==</l7:Encoded>
                </l7:CertificateData>
            </l7:CertificateChain>
            <l7:Properties>
                <l7:Property key="keyAlgorithm">
                    <l7:StringValue>RSA</l7:StringValue>
                </l7:Property>
            </l7:Properties>
        </l7:PrivateKey>
    </l7:Resource>
</l7:Item>

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter bcf7a8 in the box below so that we can be sure you are a human.