deploy IdenTrust Certificate with TCL script

mario.jost · ‎02-23-2022

I would like to deploy the IdenTrust Root CA onto our devices via a TCL script. Problem is, that the built-in ios_config syntax has some limitations. It will crash if you run it with alot of options. So i am looking into importing the cert in other ways.

Option1- Importing the cert from a file.
There is a command that lets you import the key from a file instead of the terminal

switch(config)#crypto pki trustpool import url flash:key.pem
Reading file from flash:key.pem
% No certificates imported from flash:key.pem.

But this does not work after IOS-XE 16.3.3 because of this bug: CSCvf16269

Option2 - Use ios_config within TCL

set result [ios_config "crypto pki trustpool import terminal\n-----BEGIN CERTIFICATE-----\nMIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\nMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu\nVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw\nMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw\nJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG\nSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT\n3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU\n+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp\nS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1\nbVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi\nT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL\nvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK\nVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK\ndHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT\nc+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv\nl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N\niGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB\n/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD\nggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH\n6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt\nLRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93\nnAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3\n+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK\nW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT\nAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq\nl1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG\n4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ\nmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A\n7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H\n-----END CERTIFICATE-----\nquit\n"]

This command is too long and a TCL will crash if you add more than x commands or if you go over x amount of characters, i dont know where the limitation is.

Option3 - Use Typehead

typeahead "-----BEGIN CERTIFICATE-----\nMIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\nMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu\nVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwHhcNMTQwMTE2MTgxMjIzWhcNMzQw\nMTE2MTgxMjIzWjBKMQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScw\nJQYDVQQDEx5JZGVuVHJ1c3QgQ29tbWVyY2lhbCBSb290IENBIDEwggIiMA0GCSqG\nSIb3DQEBAQUAA4ICDwAwggIKAoICAQCnUBneP5k91DNG8W9RYYKyqU+PZ4ldhNlT\n3Qwo2dfw/66VQ3KZ+bVdfIrBQuExUHTRgQ18zZshq0PirK1ehm7zCYofWjK9ouuU\n+ehcCuz/mNKvcbO0U59Oh++SvL3sTzIwiEsXXlfEU8L2ApeN2WIrvyQfYo3fw7gp\nS0l4PJNgiCL8mdo2yMKi1CxUAGc1bnO/AljwpN3lsKImesrgNqUZFvX9t++uP0D1\nbVoE/c40yiTcdCMbXTMTEl3EASX2MN0CXZ/g1Ue9tOsbobtJSdifWwLziuQkkORi\nT0/Br4sOdBeo0XKIanoBScy0RnnGF7HamB4HWfp1IYVl3ZBWzvurpWCdxJ35UrCL\nvYf5jysjCiN2O/cz4ckA82n5S6LgTrx+kzmEB/dEcH7+B1rlsazRGMzyNeVJSQjK\nVsk9+w8YfYs7wRPCTY/JTw436R+hDmrfYi7LNQZReSzIJTj0+kuniVyc0uMNOYZK\ndHzVWYfCP04MXFL0PfdSgvHqo6z9STQaKPNBiDoT7uje/5kdX7rL6B7yuVBgwDHT\nc+XvvqDtMwt0viAgxGds8AgDelWAf0ZOlqf0Hj7h9tgJ4TNkK2PXMl6f+cB7D3hv\nl7yTmvmcEpB4eoCHFddydJxVdHixuuFucAS6T6C6aMN7/zHwcz09lCqxC0EOoP5N\niGVreTO01wIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB\n/zAdBgNVHQ4EFgQU7UQZwNPwBovupHu+QucmVMiONnYwDQYJKoZIhvcNAQELBQAD\nggIBAA2ukDL2pkt8RHYZYR4nKM1eVO8lvOMIkPkp165oCOGUAFjvLi5+U1KMtlwH\n6oi6mYtQlNeCgN9hCQCTrQ0U5s7B8jeUeLBfnLOic7iPBZM4zY0+sLj7wM+x8uwt\nLRvM7Kqas6pgghstO8OEPVeKlh6cdbjTMM1gCIOQ045U8U1mwF10A0Cj7oV+wh93\nnAbowacYXVKV7cndJZ5t+qntozo00Fl72u1Q8zW/7esUTTHHYPTa8Yec4kjixsU3\n+wYQ+nVZZjFHKdp2mhzpgq7vmrlR94gjmmmVYjzlVYA211QC//G5Xc7UI2/YRYRK\nW2XviQzdFKcgyxilJbQN+QHwotL0AMh0jqEqSI5l2xPE4iUXfeu+h1sXIFRRk0pT\nAwvsXcoz7WL9RccvW9xYoIA55vrX/hMUpu09lEpCdNTDd1lzzY9GvlU47/rokTLq\nl1gEIt44w8y8bckzOmoKaT+gyOpyj4xjhiO9bTyWnpXgSUyqorkqG5w2gXjtw+hG\n4iZZRHUe2XWJUc0QhJ1hYMtd+ZciTY6Y5uN/9lu7rs3KSoFrXgvzUeF0K+l+J6fZ\nmUlO+KWA2yUPHGNiiskzZ2s8EIPGrd6ozRaOjfAHN3Gf8qv8QfXBi+wAN10J5U6A\n7/qxXDgGpRtK4dw4LTzcqx+QGtVKnO7RcGzM7vRX+Bi6hG6H\n-----END CERTIFICATE-----\nquit\n"
set result [ios_config "crypto pki trustpool import terminal"]

Sadly, typeahead seems to work only on exec and not on ios_config

Option4 - Use EEM

This option has brought me the farthest, but i cannot seem to find the correct statement

ios_config "event manager applet INSTALLCERT" "event none"
ios_config "event manager applet INSTALLCERT" "action 001 cli command \"enable\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 002 cli command \"config terminal\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 003 cli command \"crypto pki trustpool import terminal\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 004 cli command \"-----BEGIN CERTIFICATE-----\\n\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 005 cli command \"MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\\n\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 006 cli command \"quit\\n\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 007 cli command \"no event manager applet INSTALLCERT\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 008 cli command \"end\"" "exit"
ios_config "event manager applet INSTALLCERT" "action 009 cli command \"write\"" "exit"
set result [exec "event manager run INSTALLCERT"]

This gives me following configuration on the device

event manager applet INSTALLCERT
 event none
 action 001 cli command "enable"
 action 002 cli command "config terminal"
 action 003 cli command "crypto pki trustpool import terminal"
 action 004 cli command "-----BEGIN CERTIFICATE-----\n"
 action 005 cli command "MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\n"
 action 006 cli command "quit\n"
 action 007 cli command "no event manager applet INSTALLCERT"
 action 008 cli command "end"
 action 009 cli command "write"

But it never gets to the part of entering the key

Feb 23 14:41:59.592: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : CTL : cli_open called.
Feb 23 14:41:59.690: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : OUT : switch>
Feb 23 14:41:59.690: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : IN  : switch>enable
Feb 23 14:41:59.703: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : OUT : switch#
Feb 23 14:41:59.703: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : IN  : switch#config terminal
Feb 23 14:41:59.817: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : OUT : Enter configuration commands, one per line.  End with CNTL/Z.
Feb 23 14:41:59.817: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : OUT : switch(config)#
Feb 23 14:41:59.817: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : IN  : switch(config)#crypto pki trustpool import terminal
Feb 23 14:42:19.674: %HA_EM-6-LOG: INSTALLCERT : DEBUG(cli_lib) : : CTL : cli_close called.
Feb 23 14:42:19.676: tty is now going through its death sequence

Essentially, the CLI gets torn down because the EEM reached its default timeout of 20s.

The reason i want to get this working is, so i can use the same process to setup our routers automatically who need to import our internal root CA for certificate based FlexVPN authentication. So i really dont want to just deploy a <multicmd> solution via prime, which is a manual way of doing things. How can i get this to work?

Georg Pauwen · ‎02-23-2022

Hello,

I have gotten only one action further, by adding '015' (which is the octal code for carriage return). The \n for new line is not recognized, if anything you would need '012' (which is the octal code for line feed):

event manager applet INSTALLCERT
event none
action 001 cli command "enable"
action 002 cli command "config terminal"
action 003 cli command "crypto pki trustpool import terminal\015"
action 004 cli command "-----BEGIN CERTIFICATE-----\n"
action 005 cli command "MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\n"
action 006 cli command "quit\n"
action 007 cli command "no event manager applet INSTALLCERT"
action 008 cli command "end"
action 009 cli command "write"

mario.jost · ‎02-24-2022

Dear Georg

Thanks for your input. I did not know about the \015 and \012 and gave it a try. The \015 does not work, as it does an additional return for every line. This breaks the certificate install via Terminal process in IOS. The \012 was much more promising. But it does not work if I use it line by line like this:

event manager applet INSTALLCERT
event none
action 001 cli command "enable"
action 002 cli command "config terminal"
action 003 cli command "crypto pki trustpool import terminal\012"
action 004 cli command "-----BEGIN CERTIFICATE-----\012"
action 005 cli command "MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\012"
action 006 cli command "quit\012"

So I tried to do it in the same line like this:

event manager applet INSTALLCERT
event none
action 001 cli command "enable"
action 002 cli command "config terminal"
action 003 cli command "crypto pki trustpool import terminal\012-----BEGIN CERTIFICATE-----\012MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\012quit\012"

This works if i look at the output of the debug event manager action cli. But this brings me back to the old dilemma. I have to enter the complete certificate into one long string, which breaks the ios_config command. I even tried to do it manually, but when i try to paste such a long command into the cli, it aswell has some max character per line limitation and stops. This is what i get when pasting the complete certificate manually:

event manager applet INSTALLCERT3
 event none
 action 001 cli command "enable"
 action 002 cli command "config terminal"
 action 003 cli command "crypto pki trustpool import terminal\012-----BEGIN CERTIFICATE-----\012MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBK\012MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MScwJQYDVQQDEx5JZGVu\012VHJ1c3QgQ29tbWVyY2lhbCBSb2"
 action 007 cli command "no event manager applet INSTALLCERT3"

It just stops after 259 characters on action 003. Is there a way to lift this character limitation somehow?

Thanks for your help, your effort in resolving this is greatly appreciated.