ibmsecurity.isam.base.ssl_certificates.personal_certificate.import_cert ignores label

[krgo]

It seems like ibmsecurity.isam.base.ssl_certificates.personal_certificate.import_cert ignores the specified label if you import a crt file. The certificate is imported as expected, but the label is ignored and in stead, the certificate subject is used as the label.

Example command and output:

ibmsecurity.isam.base.ssl_certificates.personal_certificate.import_cert(appliance, "docker_ldap_certs", "ISAM LDAP server", "/Users/lemming/isam9/certs/ldap.crt", password=None)
[14:04:19.1519391059] [INFO] *** Retrieving personal certificate names and details in a certificate database ***
[14:04:21.1519391061] [INFO] *** Importing a personal certificate into a certificate database ***
Out[4]: {'status_code': 0, 'changed': True, 'data': '', 'rc': 0, 'warnings': []}

[ram-ibm]

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.4/com.ibm.isam.doc/develop/rapi/Importing%20a%20personal%20certificate%20into%20a%20certificate%20database.xml

Unfortunately the REST API does not support setting the label as an argument - it reads it from the cert file. The reason the function requires a label is to check if the certificate already exists. Maybe we could eliminate that and read the cert file to determine the label - not sure how to do that yet.

[krgo]

Thx for that clarification. It would be nice if the REST API would support to set a label (it is possible through the lmi).

I'll ask in the EAP forums.

[ram-ibm]

I do not see it in the LMI? I just checked - we use the same REST APIs as the LMI does.

[krgo]

Hi,

I found a posibility here:
"Manage system settings" -> "SSL Certficiates", select the keystore where you want to add a certificate and choose "Manage" -> "Edit SSL Certificate Database". At the signer certificate tab, select "Manage" -> "Import". Select the PEM file and enter the label.
The certificate will have the specified label in the keystore.

I noticed that importing it as a personal certificate, changing the certificate type to PEM and not specifying a password, puts the certificate amongst the "signer certificates" too.

[ram-ibm]

When it comes to personal certificates I can think of two options:

1. Figure out how to read the provided certificate file and get label from it - no need to pass it as an argument.
2. We leave things as they are - but after the import we re-check the certificate label and set it to desired value.

Signer certificates do work different and so do certificates that do not have a private key in them.

[krgo]

The first option would make more sense to me, as in general most tools that deal with certificates in keystores work with labels.

[ram-ibm]

First option needs a python package that will allow for parsing and loading of the personal certificate - for example pyopenssl. I dont see this being handled using standard python.

So if pyopenssl is found - then we could read the cert file and use the label inside it and ignore then one provided. There will be a warning to that effect. Or we could re-write the certificate to have the new label and use that new file.

I am thinking there has to be a better solution...