Showing results for 
Search instead for 
Did you mean: 

Can't import an SSL Certificate through the CLI

New Contributor

Can't import an SSL Certificate through the CLI

I'm trying to import an ssl certificate through the CLI using:

Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "/tmp/example.local.pem", public_cert: "/tmp/example.local.cert" } ]

But I get the error message:

Private key for 'Example Certificate' does not appear to be a valid RSA private key in PEM format.

I can import the certificate fine through the web ui and the riverbed cert tool says the certificate is fine.

Am I missing something?

New Contributor

Re: Can't import an SSL Certificate through the CLI

So I've dug through the perl and it looks like I should be passing through the content of those files.


Re: Re: Can't import an SSL Certificate through the CLI


    When I see this error in the GUI (which is really doing the same thing AFAIK) I usually convert the key format using openssl:

Try this and see how you go....

openssl rsa -in my-private-key.pem -text

New Contributor

Re: Can't import an SSL Certificate through the CLI

The issue does seem to be you need to provide the contents of the key file to zcli. Now I can't work out how to split a command over multiple lines. If I try inputting the key and certificate as one line the riverbed cert tool fails to recognise them as being valid. It outputs:

Error reading key file:Invalid format, no '-----END' found


Re: Can't import an SSL Certificate through the CLI

I tried the command with the key and cert on a single line and no joy (*):

* Before anyone comments on me posting a private key file in a forum, it is a test key created for this exercise..

Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "-----BEGIN RSA PRIVATE KEY-----MIICXAIBAAKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABAoGAcwmwtlh1PJSgBxcrsZjWN2zusvPTjyIAZiJqhboGHiW93+sge3NY9DZxvBQcYogDCcGN5R4cV1f0zRle5Pvf6RuycRQQuMdw9MFgp31QkuGt+I5/cIRr3WxUyEnlIk96twbK5l+O2hufY2iveZDDGYJ/Tnh3VxLPktdzmC5AXAECQQDYShZlo8Ya0o9OucPg6ZTnGEucqMg76cxSx2Tpb7KrT10KG5cbVO8ihVhWfCX5bth+5XlUQj35tsTsj7fQdDl3AkEAzKDdzzf0eUKMfoe1K+jAtyr8CihjpGr15/twgXPKIOVhE9BTTXBeDifuhIQOitKfKpPz4ueZNCHI4HBKt/RHwQJAF223DV13KRKj2VhAAo3qxjmYfyi9P9gsfM8CfFLQHMRlBKJGdPx3RtsA3aVnC6TZKK28vcbLJdCJdkJ/G8JrMwJAVMiqXrtebgem0p5D8KeFgd8rgsHtVyiCLtY9bUWekDa6HE2K1mEid1cQOpPEurw9+pRGztMK5VDCPEwKiWGLgQJBAMe9VRSd3SqnRxaanpNWhVqoa9t+x+Co2TrkelZNJaVERgLJlvfQNMBlyo0rj5xik6akOkgUqq7etR7JJgbCZKI=-----END RSA PRIVATE KEY-----", public_cert: "-----BEGIN CERTIFICATE-----MIIC7zCCAdegAwIBAgIGATzTkTGBMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAkFVMRIwEAYDVQQKDAlzbnJrbC5vcmcxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxjYS5zbnJrbC5vcmcwHhcNMTMwMjEzMTIzOTMzWhcNMTQwMjEzMTIzOTM0WjAnMQswCQYDVQQGEwJBVTEYMBYGA1UEAwwPd3d3LndlYnNpdGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABo3IwcDAfBgNVHSMEGDAWgBQ7O1i+1WtMYU26+JwmpfzSL4ERPDAdBgNVHQ4EFgQUgdbhZG/tYACaSBjiP/frUwlt53MwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBACJR9Jhg6ga7usSkzR1ODA7HVNqVvNCKulGLvn4JWuDejpoF+1/M492/6MJwVpp4wIfFw/azBLgm7JWiTKqrfiMzd9+yS78PLJmUdFqWdjlB5vPISdGmQGdXwTh9CQHZL4dta5mhLydADn1gcBCq8L4cddFx7ZcK1CCC/w1kSYdvi6ajbaV1GKzlqc9Q7n4sgrTBcbLnloDI3lYLUlYz1hckDNoIXHY1fE944ewgU9SIgrOOqAqtpLlCfB9ww58k5nynleGaSefgsUxRloOh0MtFtNivf044VkKcG6jo0ROkkpwDt31ma2ddEEuwB7gqSx6h6XhzTKDcTIv3M+83LFc=-----END CERTIFICATE-----" } ] 

I get an error also:

certificate and private key for 'Example Certificate' do not match (Certificate/private key pre-check failed: Error reading key file:Invalid format, no '-----END' found

New Contributor

Re: Can't import an SSL Certificate through the CLI

So the way to handle this is you need to pass in the file contents and you need to escape new lines so the command ends up looking something like:

Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "-----BEGIN RSA PRIVATE KEY-----\nkey\ncontents\nhere\n-----END RSA PRIVATE KEY-----", public_cert: "-----BEGIN CERTIFICATE-----\ncertificate\ncontents\here\n-----END CERTIFICATE-----" } ]

Would be nice if this were changed so we could just reference the files.


Re: Can't import an SSL Certificate through the CLI


     Nice catch.. I tested it, and the only newlines you need are at the end of the ---BEGIN--- and ---END--- lines, so this worked too:

Catalog.SSL.Certificates.importCertificate ["Example Certificate"] [ { private_key: "-----BEGIN RSA PRIVATE KEY-----\nMIICXAIBAAKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABAoGAcwmwtlh1PJSgBxcrsZjWN2zusvPTjyIAZiJqhboGHiW93+sge3NY9DZxvBQcYogDCcGN5R4cV1f0zRle5Pvf6RuycRQQuMdw9MFgp31QkuGt+I5/cIRr3WxUyEnlIk96twbK5l+O2hufY2iveZDDGYJ/Tnh3VxLPktdzmC5AXAECQQDYShZlo8Ya0o9OucPg6ZTnGEucqMg76cxSx2Tpb7KrT10KG5cbVO8ihVhWfCX5bth+5XlUQj35tsTsj7fQdDl3AkEAzKDdzzf0eUKMfoe1K+jAtyr8CihjpGr15/twgXPKIOVhE9BTTXBeDifuhIQOitKfKpPz4ueZNCHI4HBKt/RHwQJAF223DV13KRKj2VhAAo3qxjmYfyi9P9gsfM8CfFLQHMRlBKJGdPx3RtsA3aVnC6TZKK28vcbLJdCJdkJ/G8JrMwJAVMiqXrtebgem0p5D8KeFgd8rgsHtVyiCLtY9bUWekDa6HE2K1mEid1cQOpPEurw9+pRGztMK5VDCPEwKiWGLgQJBAMe9VRSd3SqnRxaanpNWhVqoa9t+x+Co2TrkelZNJaVERgLJlvfQNMBlyo0rj5xik6akOkgUqq7etR7JJgbCZKI=\n-----END RSA PRIVATE KEY-----", public_cert: "-----BEGIN CERTIFICATE-----\nMIIC7zCCAdegAwIBAgIGATzTkTGBMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAkFVMRIwEAYDVQQKDAlzbnJrbC5vcmcxIDAeBgNVBAsMF0NlcnRpZmljYXRpb24gQXV0aG9yaXR5MRUwEwYDVQQDDAxjYS5zbnJrbC5vcmcwHhcNMTMwMjEzMTIzOTMzWhcNMTQwMjEzMTIzOTM0WjAnMQswCQYDVQQGEwJBVTEYMBYGA1UEAwwPd3d3LndlYnNpdGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCs4vOOBoyLom2Wp8VwyW1JVD392r+5ThkgX+dwUTkb61ADPxMnJLRitumE5SOvP3saR54qnqcJFtlI1Ijv3FYSzqR9PP5en8lhanm9mvtJv+TZRA1TiVUxNM9CXa040jMvHutJ2rBRhn0WD3ny3M9bzF+OIsStfODORsSlOftTtwIDAQABo3IwcDAfBgNVHSMEGDAWgBQ7O1i+1WtMYU26+JwmpfzSL4ERPDAdBgNVHQ4EFgQUgdbhZG/tYACaSBjiP/frUwlt53MwDgYDVR0PAQH/BAQDAgWgMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBACJR9Jhg6ga7usSkzR1ODA7HVNqVvNCKulGLvn4JWuDejpoF+1/M492/6MJwVpp4wIfFw/azBLgm7JWiTKqrfiMzd9+yS78PLJmUdFqWdjlB5vPISdGmQGdXwTh9CQHZL4dta5mhLydADn1gcBCq8L4cddFx7ZcK1CCC/w1kSYdvi6ajbaV1GKzlqc9Q7n4sgrTBcbLnloDI3lYLUlYz1hckDNoIXHY1fE944ewgU9SIgrOOqAqtpLlCfB9ww58k5nynleGaSefgsUxRloOh0MtFtNivf044VkKcG6jo0ROkkpwDt31ma2ddEEuwB7gqSx6h6XhzTKDcTIv3M+83LFc=\n-----END CERTIFICATE-----" } ]

ZCLI is actually written to use the SOAP API on the STM.  I am sure you could mod yours to parse the file in rather than the string if you wanted to...

Occasional Contributor

Re: Can't import an SSL Certificate through the CLI

You can use a file in the file system, but the syntax for this is slightly on the cryptic side:

Catalog.SSL.Certificates.importCertificate example {private_key:<("example.private"), public_cert:<("example.public") }

This assumes that the files are in the current working directory; absolute file names should also work.


Re: Re: Can't import an SSL Certificate through the CLI

Michael Granzow also showed me something I hadn't seen before in zcli: the help syntax command

admin@ > help syntax                               

Syntax for entering commands

Class.method arg1 arg2 arg3 ...

Arguments are space or comma-separated. Arguments with spaces, or with non-alphanumeric characters such as ":,|{}[]()'" characters, should be "quoted".

Many commands take a list of arguments, often corresponding to a list of objects (e.g. Virtual Servers). Lists should be put in square brackets, e.g.

VirtualServer.setTimeout [ "VS 1", "VS 2" ], [ 25, 30 ]

Commas between arguments are optional. As a shortcut, if the command expects a list but you are just giving one argument, you do not need to put the brackets around the arguments,

this will be performed for you, e.g. the following two commands are identical:

Pool.setKeepalive Intranet 1

Pool.setKeepalive [ Intranet ] [ 1 ]

Some commands expect structures with keys and values. These are entered using { } and using a ':' suffix on each key, e.g.

System.Stats.getNodeErrors { Address:, Port: 53 }

Wildcards are allowed for many functions. A '*' symbol will match multiple objects and also multiple commands (but they must have the same inputs), e.g.

Pool.getNodes *

VirtualServer.getPort System*


String arguments can be read in from files on disk.  You can read the content of a file as an argument using the <(filename) operator:

Catalog.SSL.CertificateAuthorities.importCertificateAuthority "my CA" <(~/CAs/myCA.pem)

System.LicenseKeys.addLicenseKeys <(/tmp/mylicense.txt)

Finally, you can pipe the output to a UNIX command from the commandline. For example, if your terminal is not large enough to read all of the output from a command, try appending

'| more' to the end of the command, e.g.

help syntax | more