Problem

In some situations, you might want to export all Local Certificates from one instance of ST, and then import them into another, which might be at different application version. Usually these are the cases when the certificates are part of a migration to a higher ST version, and the process needs to be automated, or the account export tool cannot be used for some reason.

This article will provide examples of console commands for Linux, which utilize the cURL and OpenSSL programs and will allow the export/import of the Local Certificates. The commands can be integrated in any tool that you might be developing on your own, or used as-is. Keep in mind that there are examples and slight edits might be required to have them working in your environment or tool.

Resolution

The process essentially is a two-step one - the first step will export the certificates as .p12 files, which will be stored on the file system of the server that the command is executed on. The second step will be the import, which will require that the files are located on the file system of the server that the second command is executed on.

In all commands below, the following placeholders and default values are used:

• ST_ADMIN_ACCOUNT:ST_ADMIN_PASS: The credentials (username:password) of a Master Administrator for ST, for example admin:admin.
• ST_ADDRESS_SOURCE_SERVER:ST_ADMIN_PORT: The source server's IP or hostname and the port for the admin service (default is 444 for root instances and 8444 for non-root instances). For example: 10.10.10.10:444.
• ST_ADDRESS_DESTINATION_SERVER:ST_ADMIN_PORT: The destination server's IP or hostname and the port for the admin service (default is 444 for root instances and 8444 for non-root instances). For example: 10.10.10.10:444.
• "password": "temp12": This is a key-value pair from the API's JSON object, which holds the password for the certificate's .p12 capsule file. You can change the temp12 password string to something you prefer. The same password is used for the export and import, and it is the same for all certificate files.
• pass:temp12: Part of the OpenSSL portion of the command and uses the same password set to the certificate files from the previous point.

All placeholders must be replaced with the appropriate values, so we recommend that you copy the commands in a text editor and review and edit them before use.

Exporting the certificates

To export all Local Certificates, convert them in PKCS12 format and store the output in files execute the below:

for id in $(curl -s -k -u ST_ADMIN_ACCOUNT:ST_ADMIN_PASS -X GET "https://ST_ADDRESS_SOURCE_SERVER:ST_ADMIN_PORT/api/v1.1/certificates?usage=local" -H  "accept: application/json" | grep '"id"' | cut -d '"' -f 4); do name=`curl -s -k -u ST_ADMIN_ACCOUNT:ST_ADMIN_PASS -X GET "https://ST_ADDRESS_SOURCE_SERVER:ST_ADMIN_PORT/api/v1.1/certificates/$id" -H  "accept: application/json" | grep '"name" :' | cut -d '"' -f 4` && echo $name: &&curl -s -k -X POST -u ST_ADMIN_ACCOUNT:ST_ADMIN_PASS -H "Content-type: application/json" -H "Accept: multipart/mixed" -d '{"id": "'$id'","type" : "x509", "usage" : "local", "exportPrivateKey": true, "password": "temp12" }' "https://ST_ADDRESS_SOURCE_SERVER:ST_ADMIN_PORT/api/v1.1/certificates/export" | awk '/^Content-Type: application\/octet-stream/,/^--------/' | tail -n +4 | head -n -1 | openssl pkcs12 -nodes -passin pass:temp12 | openssl pkcs12 -export -password pass:temp12 -out $name.p12 ; done

The certificate filess will be stored in the same folder from which the above query has been executed. If you want to store them in another location, add the path to the $name.p12 string near the end of the command.

Importing the certificates

To import the exported certificates, you will need to have the certificate files in the same folder that the commands will be executed from. Then, there are two possible use cases - to import the certificates in the new instance, overwriting the existing ones, or to import them without overwriting, i.e. keeping the existing certificates intact (for example, the admind certificate).

Importing the certificates without overwriting

The below command will preserve the existing certificates, if their aliases match with one of the exported ones. In other words, the admind certificate in the new ST instance will be preserved.

for cert in $(ls *.p12); do cert_name=`echo $cert | cut -d '.' -f 1` ;  echo { > first_part.txt; echo '"name" : "'$cert_name'",' >> first_part.txt; echo '"pasword": "temp12",'  >> first_part.txt; echo '"type" : "x509",'  >> first_part.txt; echo '"usage" : "local"'  >> first_part.txt; echo }  >> first_part.txt; curl -k -u ST_ADMIN_ACCOUNT:ST_ADMIN_PASS -X POST --header "Content-Type: multipart/mixed" --header "Accept: application/json" -F "myPartName1=@first_part.txt;type=application/json" -F "myPartName2=@$cert;type=application/octet-stream" https://ST_ADDRESS_DESTINATION_SERVER:ST_ADMIN_PORT/api/v1.4/certificates/import ; done

Importing the certificates with overwriting

The below command will overwrite any existing certificate, whose alias matches with one of the exported certificates. In other words, the admind certificate in the new ST instance will be replaced with the admind certificate from the old instance.

for cert in $(ls *.p12); do cert_name=`echo $cert | cut -d '.' -f 1` ;  echo { > first_part.txt; echo '"name" : "'$cert_name'",' >> first_part.txt; echo '"pasword": "temp12",'  >> first_part.txt; echo '"type" : "x509",'  >> first_part.txt; echo '"overwrite" : "true",'  >> first_part.txt; echo '"usage" : "local"'  >> first_part.txt; echo }  >> first_part.txt; curl -k -u ST_ADMIN_ACCOUNT:ST_ADMIN_PASS -X POST --header "Content-Type: multipart/mixed" --header "Accept: application/json" -F "myPartName1=@first_part.txt;type=application/json" -F "myPartName2=@$cert;type=application/octet-stream" https://ST_ADDRESS_DESTINATION_SERVER:ST_ADMIN_PORT/api/v1.4/certificates/import ; done