topic Re: Export CSR via SSH in General Topics

Export CSR via SSH

OCEDTRA — Mon, 07 Mar 2016 18:38:49 GMT

Hello,

I have created a CSR:

request certificate generate country-code DE days-till-expiry 1100 email NOC@DOMAIN.COM locality BERLIN signed-by external organization MYORG ip 1.1.1.1 algorithm RSA rsa-nbits 2048 certificate-name testcert name test.domain.de

Looks fine and I can also see it in the WUI.

Now I would like to export it via SSH:

scp export certificate certificate-name testcert format pem include-key no to myuser@10.10.10.10:/cert_test.csr

but I get

Server error : Failed to prepare certificate testcert for export

This works fine for already existing certificates... but not for a CSR...

What am I doing wrong?

Any help appreciated. Thank you!

Re: Export CSR via SSH

gwesson — Mon, 07 Mar 2016 18:56:40 GMT

I don't see anything you're doing wrong. I tested this myself and ran into the same situation. The UI export runs an XML download operation, so it's not as simple as a UI wrapper for CLI.

The CSR should probably be exportable via CLI, but clearly it's not.

As a workaround, you can run:

show config candidate

Then do a / to start a find, and type the name of the CSR (testcert). It will show you the raw CSR that you can copy then you can put it directly onto the target SSH server.

I'd recommend submitting a feature request with your account team as well. It may have been missed as a requirement, or there may have been a reason for not adding that CLI option, but getting it submitted with your account team can go a long way to getting it implemented.

Cheers,

Greg

<edit, replaced "running" with "candidate", in case the CSR hasn't been added to the running config via a commit yet>