HPE Community
HPE OneView
1847253 Members
4479 Online
110263 Solutions
New Discussion

Re: REST API upload CA chain

 
bradawk1
Trusted Contributor

‎12-18-2025 03:30 AM - last edited Thursday by

‎12-18-2025 03:30 AM - last edited Thursday by

REST API upload CA chain

I recently updated the server certificate for one of our OneView instances.  When I tried to upload the signed certificate via the REST API it was rejected because the intermdiate certificate it was signed by was not in OneView.  So, I tried to upload that intermediate certificate, but it was rejected because the root certificate it was signed by was not in OneView.  We have an internal CA with several intermediate and root certificates.  So, I downloaded all of those.  I read that I can upload the entire chain to /rest/certificates/ca.  So, I wrote build-cert-chain.sh to build the cert chain.

#!/bin/bash
for VAR in OneView currentVersion sessionID DATA; do
   if [[ -z ${!VAR+x} ]]; then echo "${VAR} is not set!  You need to source the get-session-credentials.sh script.";return 1 2>/dev/null || exit 1;fi
done
declare -i NUM=2
OPTIND=1
OPTARG=
OPTERR=1
while getopts 'c:a:n:' flag; do
   case "${flag}" in
      a) ALIAS=${OPTARG};;
      c) SCRT=${OPTARG};;
      n) NUM=${OPTARG};if ! [[ "${NUM}" =~ ^[0-9]+$ ]]; then echo "The value for -n must be a number." >&2;return 2 || exit 2;fi;;
   esac
done
if [[ "${NUM}" == "" ]]; then echo "NUM was not set.  Setting it to 1";NUM=1;fi
SCRTN=$(awk 'NF {sub(/\r/, ""); printf "%s\\n", $0}' "$SCRT")
if [[ ${NUM} -eq 1 ]]; then
   DATA=$(jq -n --arg cert "${SCRTN}" --arg alias "${ALIAS}" '{members:[{certificateDetails:{base64Data:$cert,aliasName:$alias}}]}')
else
   DATA=$(jq --arg cert "${SCRTN}" --arg alias "${ALIAS}" '.members += [{certificateDetails:{base64Data:$cert,aliasName:$alias}}]' <<<"${DATA}")
fi
export DATA

I then ran echo ${DATA} > chain.cer.  I wrote upload-ca-cert.sh to upload it:

#!/bin/bash
for VAR in OneView currentVersion sessionID DATA; do
   if [[ -z ${!VAR+x} ]]; then echo "${VAR} is not set!  You need to source the get-session-credentials.sh script.";return 1 2>/dev/null || exit 1;fi
done
OPTIND=1
OPTARG=
OPTERR=1
while getopts 'c::' flag; do
   case "${flag}" in
      c) SCRT=${OPTARG};;
   esac
done
CERTURI=$(curl --insecure --include --silent \
     --header "content-type: application/json" \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --data @SCRT \
     --request POST ${OneView}/rest/certificates/ca | grep '^Location:' | awk '{ print $2 }')
echo "Waiting 30 seconds for the process to complete"
sleep 29
echo "Checking the status of the upload process:"
curl --insecure --silent \
     --header "X-API-Version: ${currentVersion}" \
     --header "auth: ${sessionID}" \
     --request GET ${OneView}${CERTURI} | jq -r '.'
export CERTURI

When I try to upload it, I get INVALID JSON MAPPING, JSON cannot be parsed.  Oh!  I think I might have one too many backslashes before n for the linefeeds.  I have:  \\n.  I think it is supposed to be \n.  Let me try to rectify that and see how it goes.

0 Kudos
Reply
3 REPLIES 3
bradawk1
Trusted Contributor

‎12-18-2025 03:47 AM - edited ‎12-18-2025 05:11 AM

‎12-18-2025 03:47 AM - edited ‎12-18-2025 05:11 AM

Re: REST API upload CA chain

Unfortunately removing that extra backslash did not do it.  Any ideas?  My JSON looks just like the example:

{
    "members": [
      {
        "certificateDetails": {
            "base64Data": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
            "aliasName": "ca Alias Name1"
        }
      },
      {
        "certificateDetails":{
            "base64Data":"-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
            "aliasName":"ca Alias Name2"
        }
      }
   ]
}

The alias names have spaces in them.  Does that matter?
Just FYI, I also tried just uploading a single intermediate certificate and got the same response.

0 Kudos
Reply
bradawk1
Trusted Contributor

4 weeks ago - last edited 4 weeks ago

4 weeks ago - last edited 4 weeks ago

Re: REST API upload CA chain

No one has uploaded a CA chain using the REST API?  Either I am missing someting, or the documentation is incorrect.  I have a single CA certificate formatted as depicted in the REST API reference and saved to chain.cer.  I then ran:

jq -r '.members[].certificateDetails.base64Data' chain.cer | openssl x509 -text -nout

and received the properly decoded certificate details.  So, I think my format should be good.

0 Kudos
Reply
Rakesh0404
HPE Pro

Monday

Monday

Re: REST API upload CA chain

Hi Bradawk1,
Thank you for choosing HPE. 
From the looks of the query, the maximum chain can be uploaded in 10. 


The user guide does share the informatoin perfect steps to add: 
https://support.hpe.com/docs/display/public/dp00006389en_us/index.html#rest/certificates/ca?ref=POST%20%2Frest%2Fcertificates%2Fca&query=POST%20%2Frest%2Fcertificates%2Fca

It is best to validate the certificate before adding to store with the below command. 
POST/rest/certificates/ca/validator 



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.