Importing files by copy & paste on the CLI

Your device supports the loading of files into file slots from the console and also by means of a script.

This offers the convenience of using a script to roll-out files together with the configuration or, for example, to import SSH keys and VPN certificates.

Note:

The file format must be of type text or ASCII; binary formats are not supported.
In the case of certificates, the file format must be PEM-encoded (ASCII/Base64). DER-encoded certificates are not supported.
You will find a list of possible files and formats at the end of this chapter.

Syntax of the CLI command importfile:

importfile -a <application> [-p <passphrase>] [-n] [-h <hash> -f <fingerprint>] [-c] [-r]

Required parameters:

-a <application>: <application> specifies the storage location and thus the usage for the entered data. For a complete list of the storage locations on your device, enter importfile -?.

Optional parameters:

-n: -n starts the non-interactive mode. There are no prompts or other outputs on the CLI. The non-interactive mode is intended for use with scripts.
-p <passphrase>: <passphrase> is the password required to decrypt an entered private key.
-h <hash>: The hash algorithm used to determine the fingerprint of the root CA certificate.
-f <fingerprint>: The fingerprint of the root CA certificate, created with –h. The fingerprint can be entered either with or without colons.
-c: Only CA certificates are uploaded.
-r: Uploaded CA certificates replace any existing ones.

Note: CTRL+Z cancels any active input.

Example:

In this example, user input is shown in bold and prompts for the user are shown in italic. Certificates and other long, multi-line outputs are abbreviated with [...] for legibility. At the end of the example you will find explanations for the individual steps.

root@test:/
 importfile -a VPN2 -p lancom -h SHA512 -f 4F:A7:5E:C9:D4:77:CE:D3:06:4C:79:93:D8:FA:3A:8E:7B:FE:19:61:B2:0C:37:4F:BB:7A:E6:46:36:04:46:EE:F6:DA:97:15:6B:BB:
2D:8F:B6:66:E6:7C:54:1E:B4:02:79:54:D6:DF:1E:9B:27:7C:9C:EA:B8:CB:1B:6D:90:1C

The input can be aborted by pressing CTRL+Z.
Please enter the PEM-encoded (Base64) device certificate, the end of the input will be detected automatically:
importfile>-----BEGIN CERTIFICATE-----
importfile>MIID9DCCAtwCCQDgaoWRCmWaLjANBgkqhkiG9w0BAQ0FADAkMQswCQYDVQQG[…]
importfile>[…]s7pM5l0L0d0=
importfile>-----END CERTIFICATE-----
Importing device certificate:
        Version: 1 (0x0)
        Serial Number:
            e0:6a:85:91:0a:65:9a:2e
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN=OCSP-TEST-CA,C=DE
        Validity
            Not Before: Jul  4 12:34:07 2017 GMT
            Not After : Oct  5 12:34:07 2024 GMT
        Subject: CN=TEST,O=Internet Widgits Pty Ltd,ST=Some-State,C=DE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:bb:93:f6:b9:9a:41:b2:3e:30:2b:09:7f:d1:f9:
                    49:54:5a:82:c9:17:10:1f:79:6d:ab:55:df:b8[…]
                   […]2f:0c:8a:69:7b:a9:82:32:f3:ca:9c:02:20:14:
                    bd:8b:0d
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha512WithRSAEncryption
         06:5b:a4:1a:a2:69:c1:bf:6f:b1:d2:6c:b0:21:e1:10:43:[…]
         […]50:e6:a3:1d:f3:15:b7:87:8c:65:2f:25:f6:b3:ba:4c:e6:
         5d:0b:d1:dd

The input can be aborted by pressing CTRL+Z.
Please enter the PEM-encoded (Base64) device private key, the end the input will be detected automatically:
importfile>-----BEGIN RSA PRIVATE KEY-----
importfile>Proc-Type: 4,ENCRYPTED
importfile>DEK-Info: AES-128-CBC,8FB95ED0568DA9AE17D7573BC294ACD8
importfile>[…]5Cuf2p798Obhw3isAe04XRwmdLno8ZcPDyB33ZKPjmhUzB0WsdzGdSSq5iYjD
importfile>-----END RSA PRIVATE KEY-----
The private key was read successfully.
The private key matches the device certificate.
The input can be aborted by pressing CTRL+Z.
Please enter the chain of PEM-encoded (Base64) CA certificates.
The input is closed with "endcachain":
importfile>-----BEGIN CERTIFICATE-----
importfile>MIIDGzCCAgOgAwIBAgIJAMlNxBFGQqpoMA0GCSqGSIb3DQEBDQUAMCQxCzAJB[…]
importfile>[…]EUDI9giYt9tnAT8hJfLkkyN/PHSiP+e+vopjSpKuyg==
importfile>-----END CERTIFICATE-----
importfile>endcachain
Importing CA certificate:
        Version: 3 (0x2)
        Serial Number:
            c9:4d:c4:11:46:42:aa:68
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN=OCSP-TEST-CA,C=DE
        Validity
            Not Before: Jun  6 13:56:49 2017 GMT
            Not After : Jun 19 13:56:49 2045 GMT
        Subject: CN=OCSP-TEST-CA,C=DE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e9:ba:04:74:7d:78:5a:84:b3:63:cc:ad:4d:[…]
                    […]14:0e:27:c8:8c:5a:00:a3:4c:ed:4f:02:e8:0b:
                    fb:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                57:13:BB:94:3B:89:C5:3B:B7:A0:0E:BB:BF:39:05:67:8B:FB:84:30
            X509v3 Authority Key Identifier:
                keyid:57:13:BB:94:3B:89:C5:3B:B7:A0:0E:BB:BF:39:05:67:8B:FB:84:30

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha512WithRSAEncryption
         c8:cf:3b:97:1a:56:61:13:9c:61:ed:21:23:7a:37:b4:a8:[…]
        […]3f:21:25:f2:e4:93:23:7f:3c:74:a2:3f:e7:be:be:8a:63:
         4a:92:ae:ca

Content of the PKCS12 file: private key: 1, device certificate: 1, CA certificates: 1
root@test:/

The importfile command is called for the storage location VPN2, so we are dealing with a certificate for use in the VPN. The password for the private key is lancom and the root CA certificate can be checked with SHA512 and the specified fingerprint.
In the following, the user is prompted to enter the certificate.
After entering the certificate, it is then imported.
In the following, the user is prompted to enter the private key.
Following the input, the key is checked.
In the following, the user is prompted to enter the CA certificate chain. The end of the input is not detected automatically. After the last certificate, the end is determined by entering endcachain. Type this command on a new line, because all of the input on a line containing the string endcachain is discarded.
Following these entries, the CA certificates are imported and the process is completed.

Possible Files and formats:

File	Format	File	Format
CONFIG-SYNC	PEM	SCEP-TLS	PEM
CWMP	PEM	SIPS1	PEM
CWMP-ROOT-CA	PEM	SIPS2	PEM
DEFAULT	PEM	SIPS3	PEM
DEFAULT-ADD-CAS	PEM	SSH-AUTH-KEYS	TEXT
EAP-TLS	PEM	SSH-DSA	PEM
ISSUE	TEXT	SSH-ECDSA	PEM
LBS	PEM	SSH-ED25519	PEM
OCSP-SERVER	PEM	SSH-ED448	PEM
PBSPOT-TEMPLATE-AGB	TEXT	SSH-KNOWN-HOSTS	TEXT
PBSPOT-TEMPLATE-ERROR	TEXT	SSH-RSA	PEM
PBSPOT-TEMPLATE-HELP	TEXT	TLS	PEM
PBSPOT-TEMPLATE-LOGIN	TEXT	USER-WIZARD-1	TEXT
PBSPOT-TEMPLATE-LOGIN-EMAIL	TEXT	USER-WIZARD-2	TEXT
PBSPOT-TEMPLATE-LOGIN-SMS	TEXT	USER-WIZARD-3	TEXT
PBSPOT-TEMPLATE-LOGOFF	TEXT	USER-WIZARD-4	TEXT
PBSPOT-TEMPLATE-NOPROXY	TEXT	VCM-TLS	PEM
PBSPOT-TEMPLATE-REG-EMAIL	TEXT	VPN-ADD-CAS	PEM
PBSPOT-TEMPLATE-REG-SMS	TEXT	VPN1	PEM
PBSPOT-TEMPLATE-START	TEXT	VPN2	PEM
PBSPOT-TEMPLATE-STATUS	TEXT	VPN3	PEM
PBSPOT-TEMPLATE-VOUCHER	TEXT	VPN4	PEM
PBSPOT-TEMPLATE-WELCOME	TEXT	VPN5	PEM
PROVISIONING-SERVER	PEM	VPN6	PEM
RADIUS-ACCOUNT-TOTAL	TEXT	VPN7	PEM
RADSEC	PEM	VPN8	PEM
ROLLOUT-TEMPLATE	TEXT	VPN9	PEM
ROLLOUT-WIZARD	TEXT	WLC-SCRIPT1	TEXT
SCEP-CA	PEM	WLC-SCRIPT2	TEXT
SCEP-RA	PEM	WLC-SCRIPT3	TEXT
Wireless-ePaper	PEM