From my previous experience I knew that configuration backup/restore functions in ROS also backing up/restoring certificates. However it turned out that restoring a backup on another device actually doesn't restore private keys of the certificates - the certificates are getting restored OK, but they no longer have their private keys. (It may happen that the private keys are not actually backed up if you're selecting "do not encrypt backup" as I did, but as the recipient device is of another model the backup/restore approach was anyhow suboptimal.)
So I came up with a script that exports certificates along with their keys (each certificate is exported with its own passphrase) and creates a script to import them back, allowing easy migration to other device:
Code: Select all
# Certificate export tool for ROS 7.x by 611
# Filter for cert names
:local certnamesearchstring "";
# Create script file for cert import
:local scriptname "cert-import-$certnamesearchstring.rsc";
:put "Exporting (non-expired, non-revoked) certificates with filter '$certnamesearchstring', writing import script to $scriptname:";
# There could be a lot of files, so /file print is suboptimal, we'll use /certificate instead with a filter, so that the output will be empty (except for header)
/certificate print file=$scriptname where !name;
# Export loop (with reqd variables)
:local certname; :local exportpass;
:local scriptbody ""; :local scriptpart 1;
# Certificate templates won't export and have no "invalid-after" date, excluding them
# You may add extra conditions to filter the cert list here:
:foreach i in=[/certificate find invalid-after !expired !revoked name~($certnamesearchstring)] do={
:set $certname [/certificate get $i name];
:set $exportpass [:rndstr from="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" length=32]
:put "* $certname";
# Actual export, ignore errors
:do { /certificate export-certificate $i file-name=$certname export-passphrase=$exportpass; } on-error={ :put " ! Error"; }
# Add import cert command to the script
:set $scriptbody ($scriptbody . "/certificate import file-name=$certname.crt name=$certname passphrase=""""\r\n");
# Add import key command to the script if there's a key
:delay 2;
:if ([/file find name="$certname.key"]) do={
:put " + key";
:set $scriptbody ($scriptbody . "/certificate import file-name=$certname.key passphrase=$exportpass\r\n"); }
# Check if the script is approaching 4k. write contents to the file and start a new one if so
if ([:len $scriptbody] > 3840) do={
# Delay could be required as file creation seems to be async to the script, and it should complete for write to succeed
:delay 2;
/file set $scriptname contents=$scriptbody;
:set $scriptbody ""; :set $scriptpart ($scriptpart+1);
:set $scriptname "cert-import-$certnamesearchstring-$scriptpart.rsc";
;put "Starting new import script $scriptname:";
/certificate print file=$scriptname where !name; }
}
# Write script to the file
:delay 2;
/file set $scriptname contents=$scriptbody;
:put "OK";
:put "Remove '.txt' from script(s) extension, transfer script(s), .crt and .key files to the destination router, and use /import to run the script(s).";
# That's all, folks!
Peculiarities:
- Certificates could be filtered by their names, the filter string is set in the beginning of the script;
- Templates (certificates created, but not yet signed) obviously won't export as there are no public an private keys yet, so they are filtered out when exporting. It's possible to export them as plain configuration, but this is not implemented (I have a single template so it's not problem to do it manually);
- Expired and revoked certificates are not exported as it looks unnecessary;
- The script is slow as file operations require 2 second delay after creation of file before it could be found or written to. Ofc it's possible to export all the certs, then look for all the .key files, thus have a single 2 second delay instead of a delay for each certificate, but let's leave this implementation to ones who require better performance (I'm OK with the script running to 40 seconds or so on my device);
- File read/write operations as implemented in ROS are limited to 4k file size, thus the script will write out an import script file and start the next one as the size will approach 4k;
- The script will require modifications for ROS v6 and earlier (as :rndstr was introduced in v7).
Comments and suggestions are welcome.