How to upload Custom Cert on activate using Curl commands?

Requirement:

 

We would need to upload a custom self signed cert to IAP to form a VPN tunnel between VMC and IAP as VMC doesn't have a Aruba TPM cert.

Solution:

 

We have a list of Curl commands to perform this action

Configuration:

 

Below are the commands used,

 

To login:

-----------

 curl -k --insecure -c cookie.txt -X POST -d "credential_0=username&credential_1=password" https://activate.arubanetworks.com/LOGIN

To add a new certificate:

------------------------

cat <certname> | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://activate.arubanetworks.com/api/ext/ta.json?action=add

To update with a new certificate:

--------------------------------

 

cat <certname> | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://device.arubanetworks.com/api/ext/ta.json?action=update

To verify the certificate details

 

curl -kv -b cookie.txt https://device.arubanetworks.com/api/ext/ta.json?action=detail

Verification

Sample outputs,

 

To login:

--------

 

$ curl -k --insecure -c cookie.txt -X POST -d "credential_0=arubatac&credential_1=******" https://activate.arubanetworks.com/LOGIN

 

To add a new cert:

-----------------

 

cat certn.pem | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://activate.arubanetworks.com/api/ext/ta.json?action=add

Note: Unnecessary use of -X or --request, POST is already inferred.

*   Trying 104.36.249.200...

* TCP_NODELAY set

* Connected to activate.arubanetworks.com (104.36.249.200) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/cert.pem

  CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: C=US; ST=California; L=Sunnyvale; O=Aruba Networks, Inc.; OU=Cloud; CN=activate.arubanetworks.com

*  start date: Jan 29 00:00:00 2018 GMT

*  expire date: Jan 28 12:00:00 2021 GMT

*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1

*  SSL certificate verify ok.

> POST /api/ext/ta.json?action=add HTTP/1.1

> Host: activate.arubanetworks.com

> User-Agent: curl/7.54.0

> Accept: */*

> Cookie: csrf_token=2ff77e52-a5a3-4001-becd-bafdf284db97; session=f923dca1-67cd-4bbd-9bcb-a46baaff3db3

> Content-Length: 1199

> Content-Type: application/x-www-form-urlencoded

> Expect: 100-continue

> 

< HTTP/1.1 100 Continue

* We are completely uploaded and fine

< HTTP/1.1 200 OK

< Date: Mon, 05 Aug 2019 15:37:55 GMT

< Server: Apache/2.4.6 (CentOS)

< X-Frame-Options: SAMEORIGIN

< Cache-Control: no-cache

< Content-Disposition: inline;filename=ta.json

< Content-Length: 34

< Content-type: application/json; charset=utf-8

< Expires: -1

< Pragma: no-cache

< 

* Connection #0 to host activate.arubanetworks.com left intact

 

To update the cert:

------------------

$ cat certn.pem | python -c "import sys, json; print 'json={\"cert\":' + json.dumps(sys.stdin.read()) + '}'" | curl -kv -b cookie.txt -X POST --data-urlencode "@-" https://activate.arubanetworks.com/api/ext/ta.json?action=update

Note: Unnecessary use of -X or --request, POST is already inferred.

*   Trying 104.36.249.200...

* TCP_NODELAY set

* Connected to activate.arubanetworks.com (104.36.249.200) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/cert.pem

  CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: C=US; ST=California; L=Sunnyvale; O=Aruba Networks, Inc.; OU=Cloud; CN=activate.arubanetworks.com

*  start date: Jan 29 00:00:00 2018 GMT

*  expire date: Jan 28 12:00:00 2021 GMT

*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1

*  SSL certificate verify ok.

> POST /api/ext/ta.json?action=update HTTP/1.1

> Host: activate.arubanetworks.com

> User-Agent: curl/7.54.0

> Accept: */*

> Cookie: csrf_token=2ff77e52-a5a3-4001-becd-bafdf284db97; session=f923dca1-67cd-4bbd-9bcb-a46baaff3db3

> Content-Length: 1199

> Content-Type: application/x-www-form-urlencoded

> Expect: 100-continue

> 

< HTTP/1.1 100 Continue

* We are completely uploaded and fine

< HTTP/1.1 200 OK

< Date: Mon, 05 Aug 2019 15:41:29 GMT

< Server: Apache/2.4.6 (CentOS)

< X-Frame-Options: SAMEORIGIN

< Cache-Control: no-cache

< Content-Disposition: inline;filename=ta.json

< Content-Length: 34

< Content-type: application/json; charset=utf-8

< Expires: -1

< Pragma: no-cache

< 

* Connection #0 to host activate.arubanetworks.com left intact

 

 

To view the cert:

----------------

 

curl -kv -b cookie.txt https://activate.arubanetworks.com/api/ext/ta.json?action=detail

*   Trying 104.36.249.200...

* TCP_NODELAY set

* Connected to activate.arubanetworks.com (104.36.249.200) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /etc/ssl/cert.pem

  CApath: none

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

*  subject: C=US; ST=California; L=Sunnyvale; O=Aruba Networks, Inc.; OU=Cloud; CN=activate.arubanetworks.com

*  start date: Jan 29 00:00:00 2018 GMT

*  expire date: Jan 28 12:00:00 2021 GMT

*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust TLS RSA CA G1

*  SSL certificate verify ok.

> GET /api/ext/ta.json?action=detail HTTP/1.1

> Host: activate.arubanetworks.com

> User-Agent: curl/7.54.0

> Accept: */*

> Cookie: csrf_token=1aa43116-d3d9-455c-a4d7-2820cf9af3c0; session=26956d31-11a7-4041-8f47-00f9050a67ac

> 

< HTTP/1.1 200 OK

< Date: Mon, 05 Aug 2019 15:42:46 GMT

< Server: Apache/2.4.6 (CentOS)

< X-Frame-Options: SAMEORIGIN

< Cache-Control: no-cache

< Content-Disposition: inline;filename=ta.json

< Content-Length: 1157

< Content-type: application/json; charset=utf-8

< Expires: -1

< Pragma: no-cache

< Vary: Accept-Encoding

< 

* Connection #0 to host activate.arubanetworks.com left intact

{"trust_anchor":{"customer_id":"9a4b44dd-a5f8-4076-95a1-4c28917d9d3f",

"cert":"-----BEGIN CERTIFICATE-----

MIIC4DCCAcigAwIBAgIBADANBgkqhkiG9w0BAQUFADAhMR8wHQYDVQQDExZBT1M6

OjAwOjUwOjU2Ojg5Ojk5OjYyMB4XDTE5MDUyMDEzNTQ1MloXDTI5MDUxNzEzNTQ1

MlowITEfMB0GA1UEAxMWQU9TOjowMDo1MDo1Njo4OTo5OTo2MjCCASIwDQYJKoZI

hvcNAQEBBQADggEPADCCAQoCggEBAL7//DYpU6adFcIz6KKRJGZvCgyUMV6Wj/LD

VzGI1vQNyl39suhn7Zydx+BvKJb5779KTJcrt82Vd50l+2JH59RqtTyK6MSz1DV4

CFxyZHOMRyEwAp+Uw/FcdiVTAO5vL1+3I1FzDlanO8ggn9lMYsuZ7+sE4X7QgPso

vlH+rfBpwhLVddVss7vca2J/9Q3z4hMQA6Yram+iFT6wqa+blWbNQLmzno8VcfqN

uHn238kKm+I37nCce7kuYBtmtwLeJTediJYoLud/roSV6F6p6WdBPnZLJSmAKUQq

2ENsSAM7N6D95WmuKS94pUNreMvZq4fhwiu2x5gWdOTZlQkPHc0CAwEAAaMjMCEw

DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAaYwDQYJKoZIhvcNAQEFBQAD

ggEBAK9NddjAS9FggFjpI9+eXYHgCfF5QMBsXQGHy1rQxzm2czoLcqzRqQ7w5Fu0

ytH/mOgl72WmDBJDaN/hlQQEMc3LJ6dAl8Wm3SvJuxURwM10B/Vsq2SpvawvXXzv

YqYEoR6WF56KiCw56RCjqf7S7XMgs3VML84MxUYaWrFha3jVVVkmBzp5cVnOtEW8

LmQRrmckPlBe3HI+uXCxgr8gthGkry75spgZ8zBzu7YKvuixZvIttwysI3p5SEUY

PQ3EezY0iF23ejV9ZpokdTIWKB4=
-----END CERTIFICATE-----
"}}