Expand my Community achievements bar.

Curl command for uploading idp certificate in global trust store in aem 6.5

Avatar

Level 2

Hello

I'm trying to upload idp certificate in global trust store to configure SSO in aem 6.5 author using curl command. I copied the cert in a directory in Amazon Linux server and tried running few curl commands in the same directory to upload cert but the commands are not working.

Facing issues with ipd cert upload using curl cmd other curl commands for integrating SSO, installing aem, replication agants curl is working fine.

Can you please help me in knowing the curl command for idp certificate upload?

 

Thanks in advance.

10 Replies

Avatar

Community Advisor

Hi @KRenuka ,
You can try the following steps below

With Basic Authentication:

  • If your AEM instance requires basic authentication (username and password), you can use the following curl command:
    curl -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json
    1. Replace admin:admin with your AEM admin credentials.
    2. Adjust the path to your IDP certificate file (idp_certificate.crt).
    3. Set a unique alias for your certificate (e.g., my_idp_cert).
    4. Modify the AEM instance URL (http://localhost:4502) as needed.

With Client Certificate Authentication:

  • If your AEM instance uses client certificate authentication, you’ll need to provide both the client certificate and key.
  • The --cert option specifies the client certificate, and the --key option specifies the private key associated with the certificate.
  • Example:
    curl -v --cert /path/to/client_cert.pem --key /path/to/client_key.pem --pass my_password -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" https://localhost:4502/libs/granite/security/truststore.json
    1. Replace /path/to/client_cert.pem and /path/to/client_key.pem with the actual paths to your client certificate and key files.
    2. Set the correct password for the private key (my_password).
    3. Adjust the AEM instance URL (https://localhost:4502) as needed.

Thanks,
Madhur

Avatar

Level 2

Thanks for the response Madhur.

I am using Basic AUthentication  and when I try below curl cmd with my credentials and values, I am getting below error in console

ERROR:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head><title>500 Cannot adapt to user from path [/libs/granite/security/truststore.json]</title></head>
<body>
<h1>Cannot adapt to user from path [/libs/granite/security/truststore.json]</h1>
<p>Cannot serve request to /libs/granite/security/truststore.json on this server</p>

 

<hr>
<address>Apache Sling</address>
</body>
</html>



curl -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json



Avatar

Community Advisor

Hi @KRenuka ,
There are several reasons which could generate the error. You can try the below mentioned steps to debug.

  1. Verify that the URL path is correct. Make sure that /libs/granite/security/truststore.json exists in your AEM instance.
    You can manually check this by navigating to http://localhost:4502/libs/granite/security/truststore.json in your web browser.
  2. Confirm that the user account (admin in your case) has the necessary permissions to upload certificates to the truststore.
    Also check if the user has the appropriate permissions for the /libs/granite/security/truststore.json resource.
  3. To debug further, try using the -v option with curl to get verbose output. This will show additional details about the request and response.
    curl -v -u admin:admin -F "certificate=@/path/to/idp_certificate.crt" -F "alias=my_idp_cert" http://localhost:4502/libs/granite/security/truststore.json
  4. Check the AEM logs for any relevant error messages related to truststore operations.

Replace placeholders like  /path/to/idp_certificate.crt and my_idp_cert with the actual values.

Avatar

Level 2

@Madhur-Madan 

 

  • I am able to access /libs/granite/security/truststore.json page with my user creds having admin access from gui and also using curl cmd.
    curl -u admin:admin http://localhost:4502/libs/granite/security/truststore.json
  • But unable to update any values using the above cmd, getting below error

    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html>
    <head><title>500 Cannot adapt to user from path [/libs/granite/security/truststore.json]</title></head> <body>
    <h1>Cannot adapt to user from path [/libs/granite/security/truststore.json]</h1> <p>Cannot serve request to /libs/granite/security/truststore.json on this server</p>
    <hr>
    <address>Apache Sling</address> </body>

  • And I am able to update the values for http://localhost:4502/libs/granite/security/content/truststore.json page but unable to update for actual page http://localhost:4502/libs/granite/security/truststore.json

Avatar

Community Advisor

Hi @KRenuka ,

That’s expected behavior. In AEM, the  /libs/granite/security/content/truststore.json endpoint is designed for write operations, such as updating or adding certificates to the truststore.
On the other hand, the /libs/granite/security/truststore.json endpoint is typically used for read operations, like viewing the truststore.

So, if you’re trying to upload an Identity Provider (IdP) certificate to the global truststore in AEM to configure Single Sign-On (SSO), you should use the /libs/granite/security/content/truststore.json endpoint.

Avatar

Level 2

@Madhur-Madan 
I am able to update cert  alias under /libs/granite/security/content/truststore.json using curl cmd  but the certificate is not getting uploaded in trust store.

Unable to find cert details below:

KRenuka_0-1715592034785.png

 



Avatar

Level 1

I am facing the same issue...

curl -k -s -u "admin:**********" -F "certificate=@/DevOps/Main/config-files/certs/sso/sso-certs/_.esso-uat.********.cer" -F "alias=admin" https://*******************/libs/granite/security/content/truststore.json

 

I get the response back...

 

<html>
<head>
<title>Content modified /libs/granite/security/content/truststore</title>
</head>
<body>
<h1>Content modified /libs/granite/security/content/truststore</h1>
<table>
<tbody>
<tr>
<td>Status</td>
<td><div id="Status">200</div></td>
</tr>
<tr>
<td>Message</td>
<td><div id="Message">OK</div></td>
</tr>
<tr>
<td>Location</td>
<td><a href="/libs/granite/security/content/truststore" id="Location">/libs/granite/security/content/truststore</a></td>
</tr>
<tr>
<td>Parent Location</td>
<td><a href="/libs/granite/security/content" id="ParentLocation">/libs/granite/security/content</a></td>
</tr>
<tr>
<td>Path</td>
<td><div id="Path">/libs/granite/security/content/truststore</div></td>
</tr>
<tr>
<td>Referer</td>
<td><div id="Referer"></div></td>
</tr>
<tr>
<td>ChangeLog</td>
<td><div id="ChangeLog">&lt;pre&gt;modified(&quot;/libs/granite/security/content/truststore/certificate/jcr:lastModified&quot;);&lt;br/&gt;modified(&quot;/libs/granite/security/content/truststore/certificate/jcr:mimeType&quot;);&lt;br/&gt;modified(&quot;/libs/granite/security/content/truststore/certificate/jcr:data&quot;);&lt;br/&gt;modified(&quot;/libs/granite/security/content/truststore/alias&quot;);&lt;br/&gt;&lt;/pre&gt;</div></td>
</tr>
</tbody>
</table>
<p><a href="/libs/granite/security/content/truststore">Modified Resource</a></p>
<p><a href="/libs/granite/security/content">Parent of Modified Resource</a></p>
</body>
</html>

So it looks fine

But no cert when I go to the global trust store

Does it need a restart of the instance?

 

I do notice it doesn't seem to give the user to map to in the command - could that be the issue? I always have to map it to the admin user to make it work when I do it manually.

I tried to look at the payload when I do it manually and get this...

certificate: (binary)
userPath:
userPath@Delete:
:cq_csrf_token:
eyJleHAiOjE3MTYxMDE3MzcsImlhdCI6MTcxNjEwMTEzN30.7d6EENxcEF_bKETDrOh70DeZEIu7p5DutVtgPRvve50

I tried adding in as a real shot in the dark...

-F "userPath=" -F "userPath@Delete="

But nothing

 

When I go to the authentication service it has no keystore using the curl

when I do it manually it still does not have one where as in a current environment that works it shows one is there but no actual cert listed.

 

I have a command which does seem to create the global trust store but I was trying then to add a package with the certs and that was getting wiped out. Seems to be a dead end

Avatar

Administrator

@KRenuka Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Avatar

Administrator

@KRenuka Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni

Avatar

Administrator

@Madhur-Madan Did you find the suggestions helpful? Please let us know if more information is required. Otherwise, please mark the answer as correct for posterity. If you have found out solution yourself, please share it with the community.



Kautuk Sahni