Hi Shanmuga,
There is a SOMA request
<man:do-view-certificate-details>
<man:certificate-object>?</man:certificate-object>
</man:do-view-certificate-details>
so if you know your DataPower certificate object names, you could use this SOMA call in a script that does this. I also found this very old article on the internet on the XML Rest Management Interface ... https://www.ibm.com/support/pages/how-can-i-query-certificate-details-using-datapower-rest-management-interface-rmi
The links are broken which is a shame, but this shows you how you can use one HTTP GET to the ROMA interface to get the list of certificate objects in your domain, and then you can use a HTTP POST of a file with that object name to query the certificate details. This should be scriptable. I gave it a try
curl https://<myip>:5554/mgmt/config/<mydomain>/CryptoCertificate -k -u admin:<password>
which returned a JSON object with a list of all of my cert object in that domain
{
"_links": {
"self": {
"href": "/mgmt/config/<mydomain>/CryptoCertificate"
},
"doc": {
"href": "/mgmt/docs/config/CryptoCertificate"
}
},
"CryptoCertificate": [
{
"name": "SAML-SigningCredentialsCert1",
"_links": {
"self": {
"href": "/mgmt/config/<mydomain>/CryptoCertificate/SAML-SigningCredentialsCert1"
},
"doc": {
"href": "/mgmt/docs/config/CryptoCertificate"
}
},
"mAdminState": "enabled",
"Filename": "cert:///swlinn1-sscert.pem",
"PasswordAlias": "off",
"IgnoreExpiration": "off"
},
<more certs removed for brevity
]
}
I then took my object name and placed it into a JSON object to POST
{
"ViewCertificateDetails": {
"CertificateObject": "SAML-SigningCredentialsCert1"
}
}
And the following curl returned my cert details
curl https://<myip>:5554/mgmt/actionqueue/<mydomain> -k -u admin:<password> --data-binary @\tmp\roma-getcertdetails.json
{
"_links": {
"self": {
"href": "/mgmt/actionqueue/<mydomain>"
},
"doc": {
"href": "/mgmt/docs/actionqueue"
}
},
"ViewCertificateDetails": "Operation completed.",
"CryptoCertificate": {
"CertificateObject": "SAML-SigningCredentialsCert1",
"Domain": "<mydomain>",
"CertificateDetails": {
"fingerprint-sha1": "82:89:16:23:CD:FD:3D:21:1A:07:E3:65:93:7D:AD:8D:E2:FC:C0:D8",
"Version": 3,
"SerialNumber": "919377881864239011",
"SignatureAlgorithm": "sha256WithRSAEncryption",
"Issuer": "C=US, ST=NC, L=Charlotte, O=IBM, OU=DataPower, CN=swlinn.us.ibm.com",
"NotBefore": "2019-04-03T18:48:46Z",
"NotAfter": "2029-03-31T18:48:46Z",
"Subject": "C=US, ST=NC, L=Charlotte, O=IBM, OU=DataPower, CN=swlinn.us.ibm.com",
"SubjectPublicKeyAlgorithm": "rsaEncryption",
"SubjectPublicKeyBitLength": 2048,
"KeyValue": {
"RSAKeyValue": {
"Modulus": "removed for brevity",
"Exponent": "AQAB"
}
},
"Extensions": {
"Extension": [
{
"critical": "false",
"name": "basicConstraints",
"oid": "2.5.29.19",
"isder": "false",
"item": {
"value": "TRUE",
"name": "CA"
}
},
{
"value": "73:88:54:4E:4F:49:98:2E:03:41:20:66:F8:C9:35:F0:4B:1C:50:85",
"critical": "false",
"name": "subjectKeyIdentifier",
"oid": "2.5.29.14",
"isder": "false"
},
{
"critical": "false",
"name": "authorityKeyIdentifier",
"oid": "2.5.29.35",
"isder": "false",
"item": [
{
"value": "73:88:54:4E:4F:49:98:2E:03:41:20:66:F8:C9:35:F0:4B:1C:50:85",
"name": "keyid"
},
{
"value": "/C=US/ST=NC/L=Charlotte/O=IBM/OU=DataPower/CN=swlinn.us.ibm.com",
"name": "DirName"
},
{
"value": "0C:C2:49:4F:FE:DE:77:A3",
"name": "serial"
}
]
},
{
"critical": "false",
"name": "keyUsage",
"oid": "2.5.29.15",
"isder": "false",
"item": [
{
"name": "Digital Signature"
},
{
"name": "Key Encipherment"
},
{
"name": "Data Encipherment"
},
{
"name": "Key Agreement"
},
{
"name": "Certificate Sign"
}
]
}
]
},
"Base64": "removed for brevity"
}
}
}
Happy scripting!
Best Regards,
Steve Linn
------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM
------------------------------
Original Message:
Sent: Fri July 19, 2024 04:52 AM
From: Shanmuga Rajendra
Subject: Cert details uploaded in cert directory
I need to collect the details of public key(certificate) uploaded in cert folder in DP appliance application domain to make an inventory of certificate details. Is there any easy way to collect the details mainly expiry date of certificate without manually opening each file and collect the details. We have cert expiry notification configured, but we need a list of all certs irrespective of their expiry date.Please help if there is any easy way to collect the details.
------------------------------
Shanmuga Rajendra
Datapower admin
------------------------------