Solved: Re: Cisco Prime Infrastructure CLI Templates for crypto key trustpoints

Eric R. Jones · ‎01-16-2019

Hello, i'm trying to create a Cisco PI 3.1 Feature template to deploy crypto pki authenticate "TRUSTPOINTNAME" to edge switches.

The configuration works on the switch; however, when I try to deploy th configuration it doesn't work.

I have tried placing the key information in the template and I currently have it setup as below using a variable called $CERTIFICATE that is of type "text area" so I can add any key required without having it displayed in the template.

I have tried to make use of the multi command line function, <MLTCMD>, and the interactive function to answer the questions.

When I deploy the template I have terminal monitor configured on the switch and can see that the crypto key generate command for label SSHKEYS works; however when running show crypto pki trustpoint $TRUSTPOINTNAME I can see the name is created but the trustpoint itself is not.

The objective is to deploy configuration changes to our switches so we may use certificate based login via ISE to our edge devices so we may stop using username/passwords.

Can someone provide some insight on how to manipulate the functions in Features and Templates to get this working?

So close it seems but this is holding up my progress.

!#START of CLI Template

crypto pki trustpoint $TRUSTPOINTNAME

enrollment terminal
revocation-check none
authorization username alt-subjectname userprinciplename

<MLTCMD> crypto pki authenticate $TRUSTPOINTNAME

------BEGIN CERTIFICATE---------

~key information deleted for brevity~

------END CERTIFICATE--------

$COMPLETECERT

#INTERACTIVE
Do you accept this certificate? <IQ>[yes/no]: <R> yes
#ENDS_INTERACTIVE</MLTCMD>

crypto key generate rsa modulus $MODULUS label $LABLENAME usage-keys

ip ssh server certificate profile
user
trustpoint verify $TRUSTPOINTNAME
exit
exit

!#Crypto pki and crypto key generate ends here in ISE_PKIAuthenkey template

ip ssh server algorithm hostkey ssh-rsa
ip ssh server algorithm authentication publickey keyboard
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh server algorithm publickey x509v3-ssh-rsa

!#END of CLI Template

ej

Eric R. Jones · ‎05-22-2019

Actually what Cisco TAC Engineers came up with was different and inventive.

#INTERACTIVE
crypto pki authenticate $TRUSTPOINTNAME<IQ>Enter<R><MLTCMD>#include("certificate.txt")<IQ>yes/no<R> yes</MLTCMD>
#ENDS_INTERACTIVE

That section that has #include("certificate.txt") is a file that resides on the Prime server in this folder.

/opt/CSCOlumos/conf/ifm/template/resources/templatesystem/

That folder has the crypto key starting with the ----Begin Certificate----- and ending with the -----End Certificate-----

and no extra spaces same as you would enter it on the switch.

works verfy well and no cumbersome cutting and pasting.

I probably should have posted that here but just went right back into the mix.

Of course to do this you will have to have shell access, not sudo, to Prime.

ej

View solution in original post

Johannes_Grimm · ‎05-22-2019

Hi Eric,

you have to delete the interactive part and add the quit command to inform the system that the certificate ends at this point.

For me the following syntax works fine.

crypto pki authenticate $TRUSTPOINTNAME

------BEGIN CERTIFICATE---------

~key information deleted for brevity~

------END CERTIFICATE--------

quit
yes
</MLTCMD>

Best regards,

Johannes

Eric R. Jones · ‎05-22-2019

Actually what Cisco TAC Engineers came up with was different and inventive.

#INTERACTIVE
crypto pki authenticate $TRUSTPOINTNAME<IQ>Enter<R><MLTCMD>#include("certificate.txt")<IQ>yes/no<R> yes</MLTCMD>
#ENDS_INTERACTIVE

That section that has #include("certificate.txt") is a file that resides on the Prime server in this folder.

/opt/CSCOlumos/conf/ifm/template/resources/templatesystem/

That folder has the crypto key starting with the ----Begin Certificate----- and ending with the -----End Certificate-----

and no extra spaces same as you would enter it on the switch.

works verfy well and no cumbersome cutting and pasting.

I probably should have posted that here but just went right back into the mix.

Of course to do this you will have to have shell access, not sudo, to Prime.

ej

Johannes_Grimm · ‎05-27-2019

Hi Eric,

excuse me, I saw the solution from the perspective of the Cisco DNA Center and not from the Prime perspective, as mentioned in the title.

In DNAC case, templates usually work with variables, which are defined during the provisioning process.

There the code will look like this:

crypto pki authenticate ${trustpoint}

${certificate}

quit
yes
</MLTCMD>

Good that you've found a solution.

Best regards,

Johannes