I want to automate adding my custom certificates in 9.6.x (and later 25.x). I’ve found references to older versions of Integrity for file locations but have they changed in 9.6.x? If so, which directory?
Solved
Automating custom certificates in 9.6.x
Best answer by bshorland
PUT https://{{bamip}}/api/v2/settings/10Payload (redacted private key)
{
"type": "WebAccessSettings",
"httpEnabled": true,
"httpToHttpsRedirectionEnabled": false,
"httpsEnabled": true,
"authenticator": null,
"privateKey": "<REDACTED>",
"certificate": "MIIG/zCCBOegAwIBAgIQCEdSum9NVH8fTjpaPZBTsjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiVml0YWx3ZXJrcyBJbnRlcm5ldCBTb2x1dGlvbnMsIExMQzE1MDMGA1UEAxMsVml0YWx3ZXJrcyBJbnRlcm5ldCBTb2x1dGlvbnMsIE5vLUlQIFRMUyBJQ0EwHhcNMjUwNjA3MDAwMDAwWhcNMjYwNjA2MjM1OTU5WjAZMRcwFQYDVQQDEw5iYW0xMC5kZG5zLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOEjiLgOgDh4cQcgHIZTGD3/RUEGTlULqVyOQxN8JmiQxTVwJTDOjYluqRu3WIdqFMhOrYfpaAp9gfxsnMVGoJrUEnS56aN84YOmCwrtpRsM0rXgHISG2n9N7R98At/s65KJA/DTCFKsvREm/smt8K85/0Yeq0I9TtegYH2aBU/q0fWCeEFGETaTy5Us7RTIsXrWsWA8B4dy0sUybGWRnRD31MF8KxD+byOwY9fnaFWsm2OmGKWVWOGDQ07fKyCnx1hUY5bwWQ/9oKMX5bWE0yLSWvZ18N23/3Yj1QoAUC8eHCcrJPhmJknHL6sRB7yLpyEtXA0xmKVGcEyVSkW8YSMCAwEAAaOCAukwggLlMB8GA1UdIwQYMBaAFBHqPdsoV2Pcwk4udmsY7C/7qiycMB0GA1UdDgQWBBRe3LoT7X3RV1x4e9VxFT3fOJkb+jAZBgNVHREEEjAQgg5iYW0xMC5kZG5zLm5ldDA+BgNVHSAENzA1MDMGBmeBDAECATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9WaXRhbHdlcmtzSW50ZXJuZXRTb2x1dGlvbnNOby1JUFRMU0lDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUADleUvPOuqT4zGyyZB7P3kN+bwj1xMiXdIaklrGHFTiEAAAGXSwypbAAABAMARjBEAiArFPtnEXFmXoQZPrqAfJiNoxEIgZLZgH1ldBp5YVo7OgIgEQ0sOWnhJV1OB3/Uspmjl8a8wNgkqH/Pf0yengqcDq0AdwBkEcRspBLsp4kcogIuALyrTygH1B41J6vq/tUDyX3N8AAAAZdLDKmqAAAEAwBIMEYCIQDziFWdp5ZYzhfyMrwm1+/6zqOm3fPRGcm2uXbHYkeDxgIhAOwYEC0uH828jjZagOR3igFh9By7idk49G/Rw74jUbvOAHYASZybad4dfOz8Nt7Nh2SmuFuvCoeAGdFVUvvp6ynd+MMAAAGXSwypvAAABAMARzBFAiEAkVlAFNKxAcVYRKYFn4qc2hlCb5PBXlP/ogdysSJEj7ACID7RgPOi1Czvu0qqKpf/7HSlCgP9SicXgdNm7DZYheqHMA0GCSqGSIb3DQEBCwUAA4ICAQCM9B+Q0Vov1hYSzLQVQhh5/H97qQ+JS+AFf+D7srSe/zQ7EaSYwMsJNMSYxkhw80eqeWI2nDSFMJMu2w4kwtsQZ23rDBnQYS11Gri6buXtWZ2+toCRDeOzn502peBBBZKtnDhuy6AQfqTyEt8j6VZB1ojJ8YQ57dVtmVvex1XfkbzpcfuPNZajGHfzvDnkKI7wnt2W2+QA0cVXgKxwqEINTXr4CE/1qSxXZsjeiEAdn1MEhMyepkj98xIE5H4+RE9lZzOkStK4cZm3oL+8EP9E2LUkV+OEoVKUzAPTd894jOZfGj+mGbfZWSGNzDaDZO845cTVBdWUsGtMYyQ6GFUVmSpbtWv7Tu+0RhhSMr43FVz/Sz7SZ2BrV7TBdqV6He+AhsyYNZevgr0LbW+lVMB95nQlm/lvq7PXOO5mFRbV8uRbJnWx4fsuW+PELu34l7fnoEktLTnQYnlX/ml5IgG6UlbFNokNo+ffzRWqTdGzUHYLNhNYCQ0A7VfSOcbJQRpw76N5eqBODbUsf0IHccolhG4ALJ9iGJQMMXDB5q/oR9qjKqkWng2w9cZP4cUl2WZBI/D8jS2C+ZURyd9EjF9BKRecSFBZQDRnbuTjb0xF99w+SpxJCX0UyJJRS9VSLpK0pdNwpHP/fIIfT4RIrF/UQu1RSVUKAtzh4n0mmcN2DQ==",
"caCertificates": []
}
+3I have requested ability to automate certs into the BlueCat ecosystem especially now that public certs are changing their life cycle starting March 2026 to 200 days, then March 2027, 100 days then eventually down to 45days in March 2029. Now the public changes do not affect private certs but yes it would be nice to have those automations available.
DM
+5My coworker submitted a feature request for automated SSL Certificates - KI-026353
I think I followed that feature request.
Automation will definitely be needed by that time.
Even with our private certs we still want to automate the updates. We can automate generating and pulling the certs from our internal CA (which also monitors and alerts when the cert is nearing expiration), so installing them in Integrity is the next step.
+5But to answer the orginal question, yes, it appears that the certs are in the same places in 9.6.1 as in previous versions.
https://care.bluecatnetworks.com/s/article/How-to-manually-install-CA-Certificates-on-Address-Manager-and-DNS-DHCP-Servers says that the known CA certs are in /usr/share/ca-certificates and on my 9.6.1 server I find certs in /usr/share/ca-certificates/mozilla so that looks correct.
The keystore is still at /opt/server/proteus/etc/keystore, which matches https://care.bluecatnetworks.com/s/detail/a8B400000008PK8EAM
The user cert is in /data/server/conf per https://care.bluecatnetworks.com/s/detail/a8B400000008OoTEAU
+3I currently have a KI KI-026189
PUT https://{{bamip}}/api/v2/settings/10Payload (redacted private key)
{
"type": "WebAccessSettings",
"httpEnabled": true,
"httpToHttpsRedirectionEnabled": false,
"httpsEnabled": true,
"authenticator": null,
"privateKey": "<REDACTED>",
"certificate": "MIIG/zCCBOegAwIBAgIQCEdSum9NVH8fTjpaPZBTsjANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJVUzErMCkGA1UEChMiVml0YWx3ZXJrcyBJbnRlcm5ldCBTb2x1dGlvbnMsIExMQzE1MDMGA1UEAxMsVml0YWx3ZXJrcyBJbnRlcm5ldCBTb2x1dGlvbnMsIE5vLUlQIFRMUyBJQ0EwHhcNMjUwNjA3MDAwMDAwWhcNMjYwNjA2MjM1OTU5WjAZMRcwFQYDVQQDEw5iYW0xMC5kZG5zLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOEjiLgOgDh4cQcgHIZTGD3/RUEGTlULqVyOQxN8JmiQxTVwJTDOjYluqRu3WIdqFMhOrYfpaAp9gfxsnMVGoJrUEnS56aN84YOmCwrtpRsM0rXgHISG2n9N7R98At/s65KJA/DTCFKsvREm/smt8K85/0Yeq0I9TtegYH2aBU/q0fWCeEFGETaTy5Us7RTIsXrWsWA8B4dy0sUybGWRnRD31MF8KxD+byOwY9fnaFWsm2OmGKWVWOGDQ07fKyCnx1hUY5bwWQ/9oKMX5bWE0yLSWvZ18N23/3Yj1QoAUC8eHCcrJPhmJknHL6sRB7yLpyEtXA0xmKVGcEyVSkW8YSMCAwEAAaOCAukwggLlMB8GA1UdIwQYMBaAFBHqPdsoV2Pcwk4udmsY7C/7qiycMB0GA1UdDgQWBBRe3LoT7X3RV1x4e9VxFT3fOJkb+jAZBgNVHREEEjAQgg5iYW0xMC5kZG5zLm5ldDA+BgNVHSAENzA1MDMGBmeBDAECATApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBiAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9WaXRhbHdlcmtzSW50ZXJuZXRTb2x1dGlvbnNOby1JUFRMU0lDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX4GCisGAQQB1nkCBAIEggFuBIIBagFoAHUADleUvPOuqT4zGyyZB7P3kN+bwj1xMiXdIaklrGHFTiEAAAGXSwypbAAABAMARjBEAiArFPtnEXFmXoQZPrqAfJiNoxEIgZLZgH1ldBp5YVo7OgIgEQ0sOWnhJV1OB3/Uspmjl8a8wNgkqH/Pf0yengqcDq0AdwBkEcRspBLsp4kcogIuALyrTygH1B41J6vq/tUDyX3N8AAAAZdLDKmqAAAEAwBIMEYCIQDziFWdp5ZYzhfyMrwm1+/6zqOm3fPRGcm2uXbHYkeDxgIhAOwYEC0uH828jjZagOR3igFh9By7idk49G/Rw74jUbvOAHYASZybad4dfOz8Nt7Nh2SmuFuvCoeAGdFVUvvp6ynd+MMAAAGXSwypvAAABAMARzBFAiEAkVlAFNKxAcVYRKYFn4qc2hlCb5PBXlP/ogdysSJEj7ACID7RgPOi1Czvu0qqKpf/7HSlCgP9SicXgdNm7DZYheqHMA0GCSqGSIb3DQEBCwUAA4ICAQCM9B+Q0Vov1hYSzLQVQhh5/H97qQ+JS+AFf+D7srSe/zQ7EaSYwMsJNMSYxkhw80eqeWI2nDSFMJMu2w4kwtsQZ23rDBnQYS11Gri6buXtWZ2+toCRDeOzn502peBBBZKtnDhuy6AQfqTyEt8j6VZB1ojJ8YQ57dVtmVvex1XfkbzpcfuPNZajGHfzvDnkKI7wnt2W2+QA0cVXgKxwqEINTXr4CE/1qSxXZsjeiEAdn1MEhMyepkj98xIE5H4+RE9lZzOkStK4cZm3oL+8EP9E2LUkV+OEoVKUzAPTd894jOZfGj+mGbfZWSGNzDaDZO845cTVBdWUsGtMYyQ6GFUVmSpbtWv7Tu+0RhhSMr43FVz/Sz7SZ2BrV7TBdqV6He+AhsyYNZevgr0LbW+lVMB95nQlm/lvq7PXOO5mFRbV8uRbJnWx4fsuW+PELu34l7fnoEktLTnQYnlX/ml5IgG6UlbFNokNo+ffzRWqTdGzUHYLNhNYCQ0A7VfSOcbJQRpw76N5eqBODbUsf0IHccolhG4ALJ9iGJQMMXDB5q/oR9qjKqkWng2w9cZP4cUl2WZBI/D8jS2C+ZURyd9EjF9BKRecSFBZQDRnbuTjb0xF99w+SpxJCX0UyJJRS9VSLpK0pdNwpHP/fIIfT4RIrF/UQu1RSVUKAtzh4n0mmcN2DQ==",
"caCertificates": []
}
What version is that supported in, Brian? Is caCertificates used as intermediate/chain? Restart required?
That’s on X 25.1, it is present in 9.6, but it's been enhanced in 25.1 ... it does accept a ca in the schema …. I had problems with it in the UI on the latest 25.1 build before CiscoLive so I reverted to the API
Would you expect this to work on 25.1.0-806.QA.bcn? I keep getting a 500 error.
'{"status":500,"reason":"Internal Server Error","code":"UnexpectedError","message":"An unexpected error was encountered while servicing request","detail":"A MultiException has 4 exceptions. They are:\\n1. MessageBodyReader not found for media type=application/octet-stream, type=class org.glassfish.jersey.media.multipart.FormDataMultiPart, genericType=class org.glassfish.jersey.media.multipart.FormDataMultiPart.\\n2. java.lang.IllegalStateException: Entity input stream has already been closed.\\n3. java.lang.IllegalArgumentException: While attempting to resolve the dependencies of com.bluecatnetworks.proteus.api.service.bean.ReportSettingsBean errors were found\\n4. java.lang.IllegalStateException: Unable to perform operation: resolve on com.bluecatnetworks.proteus.api.service.bean.ReportSettingsBean\\n"}'
Tim, I would expect that to be working in 800+ builds … I’m using B890 there
I’ve got a certificate and key generated with using the Lego ACME client. I’m able to load the cert and key using the GUI after converting the private key with:
openssl pkey -in private.key -out converted.key
I get this response from the API:
{"status":400,"reason":"Bad Request","code":"InvalidPrivateKeyValue","message":"The value for resource field \'privateKey\' is not a valid Base64-encoded private key in PKCS#8 or PKCS#1 format"}
I’ve tried both the converted and original key.
Does anyone know the proper conversion to specify with openssl for the private key?
Also is there any way to get the private key? The GET returns “_redacted”. I was hoping to see what it was so I could compare the format with what I have.
Okay, I’ve made progress, my issue was in reading the cert and key files. I’ve got that part sorted but now I need to add code to strip out the headers and trailers and separate out the server cert in the cert file.
Okay, I’ve made progress, my issue was in reading the cert and key files. I’ve got that part sorted but now I need to add code to strip out the headers and trailers and separate out the server cert in the cert file.
I thought I’d check against Integrity 25 and see that I shouldn’t have to strip out the headers or the issuer cert so I’m going to have to dig into it more. When I compare what I’m sending vs. what the GUI in 25 sends it looks the same so I’m missing something.
+3Any luck in getting that to work?
Any luck in getting that to work?
I finally got it to work by switching from LEGO using the built-in BlueCat integration to certbot and some Python scripts.
I have no idea why the certs generated by LEGO didn’t work, everything looked correct when I inspected the certs with openssl and other systems didn’t have issues with the certs issued by LEGO.
+5Does it work on 9.6.3 ? So far my attempts have failed. What format for the key, cert, and chain? The ‘get’ shows the cert as one string without line endings or header/footer, so that is what I attempted, but the chain has multiple certs with no break in that format, and it complains.
Haven’t tested in 9.6 but it definitely works in 25.1.2. Each cert and key should be passed as a single PEM string with no BEGIN/END headers/footers. caCertificates for the chain should be a list of single-line PEM-encoded certs with no begin/end headers/footers.
Does it work on 9.6.3 ? So far my attempts have failed. What format for the key, cert, and chain? The ‘get’ shows the cert as one string without line endings or header/footer, so that is what I attempted, but the chain has multiple certs with no break in that format, and it complains.
I only tested as far as 9.6.2 before moving to 25.1.2, but it worked (and also works with 25.1.2, I will be testing 26.1 soon).
Does it work on 9.6.3 ? So far my attempts have failed. What format for the key, cert, and chain? The ‘get’ shows the cert as one string without line endings or header/footer, so that is what I attempted, but the chain has multiple certs with no break in that format, and it complains.
I only tested as far as 9.6.2 before moving to 25.1.2, but it worked (and also works with 25.1.2, I will be testing 26.1 soon).
My tests against 26.1 have been successful as well.
+5
Sign up
Already have an account? Login
Login to the community
No account yet? Create an account
Login or Create an Account:
Log in with your Customer Care credentialsor
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.