Tuesday, November 28, 2023

Certificate types

 In this blog, we will look at 4 certificate types.


1st up PEM which is a base64 format. This format can include a certificate and key and if the key is included and it's protected it would have the wording "private-key" in the file format.

e.g

"-----BEGIN PRIVATE KEY-----" 

dddddddjhfjkfjfkfjfkskdjdkjkdjdd

djkdjkjdkdjdkjfkjfkrjfkerjkejfejfioewjfewijfewq

djeqfjeqkwjhfkqejfkejfkjfkeqjefq

"-----END PRIVATE KEY-----"

Next up PFX ( privacy exchange is also known as PKCS12. Same as above it can have certificate(s) and key and the file format is binary. You will need a passcode to decode it. It's a common exported format in winOS or MacOSX. The extension for the file format would be .pfx 

Last, we have DER ( Digital Encoding Rules ) it's also binary and you will commonly see these with the name ending in .der

We also have PKCS#7 but it's rarely used and typically does not contain any keying information.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
Posted by at No comments:

Saturday, November 11, 2023

howto use FortiOS api user with certificates ( fortios api )

I worked with an issue a few months back where someone had changed the client key and did not update their Postman or the API clients

1st if using the Postman app you need to add the certificate and key files into your setting > certificates

https://en.wikipedia.org/wiki/Postman_(software)


e.g

passphrase in real life should be something much stronger than test1234

 


here's a simple API call for path ; api/v2/cmdb/system/global





using curl, you can simulate the above by calling up the API user cert/key files on the cmd-cli while inputting the passphrase


example1

curl -v --cacert ./rootCA_crt.pem --cert ./api.crt --key ./api.key -k   "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2

kfelix@kfelixs-MacBook-Air ca_test 


example2 ( bundle cert+key into one file  and use -E ) 



curl - -E api.bundle -k  "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2 


example3 cert+key bundle, but supply the passphrase on the cmd-cli in one pass



curl - -E api.bundle:test1234 -k  "https://api.socpuppets.com/api/v2/cmdb/system/global?access_token=j1dc14rbyftN44QzdqhjN70sGcGsw8" --tlsv1.2 





Always ensure the API client key passphrase is secured and strong.

use the following debug on the FortiGate if you suspect a bad certificate during mTLS

   diag debug reset 

   diag debug en

   diag debug application httpsd -1


You should see lines similar to the following;

( my apiuser name = apiuserken ) 

[httpsd 6544 - 1699755801     info] fweb_debug_init[430] -- User-Agent: "PostmanRuntime/7.35.0"

[httpsd 6544 - 1699755801     info] fweb_debug_init[432] -- Handler "api_cmdb_v2-handler" assigned to request

[httpsd 6544 - 1699755801     info] _peer_auth_certificate_valid[180] -- Api-key + certificate login successful for apiuserken via pki peer apiuserken

[httpsd 6544 - 1699755801  warning] api_access_check_for_api_key[687] -- API Key request authorized for apiuserken from 9.4.19.7.

[httpsd 6544 - 1699755801     info] api_store_parameter[323] -- add API parameter 'access_token' (type=string)

[httpsd 6544 - 1699755801     info] api_cmdb_request_init_by_path[1800] -- new CMDB query (path='system',name='global')

[httpsd 6544 - 1699755801     info] api_generate_and_add_etag[1826] -- Per VDOM ETags: [ "vdom: r


typical API user configuration enabled for PKI


longisland # show user group api-pki

config user group

    edit "api-pki"

        set member "apiuserken"

    next

end


longisland # show user peer apiuserken

config user peer

    edit "apiuserken"

        set mandatory-ca-verify disable

        set ca "ACME_CA_Cert_1"

    next

end


longisland # show sys api-user apiuserken 

config system api-user

    edit "apiuserken"

        set api-key ENC SH2pULD0pHAvU3P/IVgWdW8cDJhxFURU+rNuid335YYU9v65WAXRL/eYm4rSmU=

        set accprofile "super_admin"

        set vdom "root"

        set peer-auth enable

        set peer-group "api-pki"

    next

end














NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Posted by at No comments:

Friday, November 10, 2023

48min later my PA-220 is upgraded to 10.2.7

 One of my biggest complaints with PanOS, upgrades take a considerable amount of time. Take this simple PA-220 upgrade to 10.2.7 It took way over 45mins.



The following firewalls are much quicker 

CiscoASA

FortiGate

Forcepoint

Checkpoint 

 So always plan for extra time with upgrading Palo Alto firewall. The quad digits appliance does upgrade in a quicker time from my experience. The only other vendor that is just as slow would be juniper.









NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \
Posted by at No comments:
Subscribe to: Posts (Atom)