Jump to content
Welcome to our new Citrix community!

Need a command policy expression to stop user to export certificates from the ADC

Recommended Posts

How do I configure a command policy for not allowing a user to export certificate.

The command in question is below.

"convert ssl pkcs12 "/nsconfig/ssl/deneme2pfx" -pkcs12File "/nsconfig/ssl/ok-com-tr" -export -certFile "/nsconfig/ssl/ok-com-tr" -keyFile "/nsconfig/ssl/ok-com-tr"

I've tried below command policy but it also denies certificate import.

add system cmdPolicy cert_export_cmd_pol DENY "(^convert\\s+ssl\\s+pkcs12)

Link to comment
Share on other sites

First: anytime you grant access to file system there is more risk.  I make note of a side effects we won't be able to restrict below.  This is the "risky" part of this command rights you are asking for. So please review thoroughly to make sure there are no unexpected risks.  So a full restriction of what you want, may not be completely possible.


Second: the "import" command in GUI, imports a .PFX AND converts it to .CER (with both a cert and private key).

The "export" command in GUI, takes an existing cert and key file and converts back to a pkcs#12 (.pfx) format.

"convert ssl pkcs12 demo1.pfx -pkcs12File "/nsconfig/ssl/demo1.cer" -export -certFile "/nsconfig/ssl/demo1.cer" -keyFile "/nsconfig/ssl/demo1.pem" -password"


The import/export are the same command with slightly different parameters:

"convert ssl pkcs12 demo2.cer -import -pkcs12File "/nsconfig/ssl/demo1.pfx" -aes256 -certFile "/nsconfig/ssl/demo1.pfx"


Your DENY permission above is blocking the wrong pattern or at least overlapping.  Because the same command root:  convert ssl pkcs12 is used in both imports and exports.


In addition, you will also likely need "add or show system file" commands to be able to upload from local to appliance or browse appliance for source files to convert.  I've tried to restrict this to only the necessary rights to the '/nsconfig/ssl' directory only and only in service of file uploads and not download...but if the GUI changes the way the command is formatted, this restriction cannot be guaranteed and any admin with cert import rights may in the future be able to download files even without the export/conversion command.  Test carefully.


Next: a possible solution for you:

For my testcase, I'm working with ALLOW commands only that exclude the -export option.  And rely on the user otherwise receiving read-only rights to guarantee gui access.


Through GUI, this should allow the following:

ALLOW:  Traffic Management > SSL > Import PKCS#12 (from either local or appliance).

EXCLUDE:  Export PKCS#12

HOWEVER, the file system command rights needed to upload files to the appliance and view the file system directory ALSO grants access to the Manage Certificates node.

Though due to a very subtle quirk in how the command is executed, uploads via this additional interface will be allowed but downloads are prevented (and only because the gui implements this command as /nsconfig/ssl without a trailing "/"; while all the upload commands I tested required the trailing "/" as /nsconfig/ssl/" .  This means that any gui change in the future might change the scope of this right to be more or less restrictive then you expect in the future.  It doesn't stop "viewing" of the cert/key file in gui; so you still have risk of copy out of file contents.  No way to restrict this without preventing viewing of the file system at all.  You might be able to do add only and user type in strings; without browsing; but without "add" you can't upload.  So review this as it probably is creating a condition that you don't want to allow.


If admin will only operate at command line, then very granular regex's can be used and the ability to view file system may not be required.


### Allowed import command examples:

#   Cert import example (through gui, you can test filesystem access from local vs. appliance); 

convert ssl pkcs12 demo2.cer -import -pkcs12File "/nsconfig/ssl/demo1.pfx" -aes256 -certFile "/nsconfig/ssl/demo1.pfx

#    Add/Show file system, restricted to /nsconfig/ssl/

add system file demo1.pfx -fileLocation "/nsconfig/ssl/"
show system file -fileLocation "/nsconfig/ssl/"


#### Denied export command examples:

convert ssl pkcs12 demo1.pfx -pkcs12File "/nsconfig/ssl/demo1.cer" -export -certFile "/nsconfig/ssl/demo1.cer" -keyFile "/nsconfig/ssl/demo1.pem" -password

# this last one is malformed as there is an -import and -export flag; invalid command; but wanted to make sure it could be excluded in a basic regex match....

convert ssl pkcs12 demo1.pfx -import -pkcs12File "/nsconfig/ssl/demo1.cer" -export -certFile "/nsconfig/ssl/demo1.cer" -keyFile "/nsconfig/ssl/demo1.pem" -password
#   Denied show file system commands without trailing "/" or non "/nsconfig/ssl/" directories:

#   For the /nsconfig/ssl denies, test via the Traffic Management > SSL > Manage Certs  (upload vs download); upload should work; hopefully downloads are denied.

add system file demo1.pfx -fileLocation "/nsconfig/ssl"
show system file -fileLocation "/nsconfig/ssl"

show system file -fileLocation "/var/download/responder/"


RegEx Patterns (raw) for import cert and file system uploads:

(^convert ssl pkcs(.*-import)(?!.*-export).*)

(^(add|show) system file.*-fileLocation "/nsconfig/ssl/")


Actual Audit Policies:  ALLOW (again test user also received built-in read-only so GUI would load)

Command Spec:

add system cmdPolicy custom_allowcertimport3 ALLOW "(^convert ssl pkcs(.*-import)(?!.*-export).*)"

add system cmdPolicy custom_allowcertimport_fs ALLOW "(^(add|show) system file.*-fileLocation \"/nsconfig/ssl/\")"


In the GUI (

ALLOWS:  Traffic Management > SSL:  Import PKCS#12 (works) AND allows user to browser from local or appliance to upload to the /nsconfig/ssl/ directory. (This is the piece that is problematic.)

DENIES:  Traffic Management > SSL:  Export PKCS#12


ALLOWS:  Traffic Management > SSL > Manage Certificates / Keys / CSRs node.

Due to the above ADD and SHOW rights, this view with these rights WILL do the follwoing:

-  WILL display all cert files on system.  

-  WILL allow upload of files from local to the /nsconfig/ssl/ directory

WILL allow users to view the file itself (file contents); so copy/paste of keys and certs can still occur.  This is granted by the "show system file -fileLocation" command stub above.

-  DOES NOT ALLOW download of files from this pane. But only because the GUI is currently referencing this command via location "/nsconfig/ssl" and not "/nsconfig/ssl/". If the gui ever changes, this may overlap with the allow rights above.


If the allowcertimport file system command policy (_fs) is modified to keep the "add system file" command but exclude the "show system file" command, its possible that you would still be able to complete cert imports, but only for files already on the appliance AND only by typing in the name in the GUI and not using the drop down list. I did not test for this scenario.

But without "show" rights you can't view the file system to use the pick list.


Also:  to review/troubleshoot audit rights:

1) use syslog:


cd /var/log

tail -f ns.log | grep CMD_EXEC


2) run both an allowed account with full rights on the task you want to see what all they are doing.

3) compare with an account that is denied to figure out which rights to adjust. Repeat 2-3 until its solved.



Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...