Generate an API Key Certificate
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Generate an API Key Certificate
How to use a Palo Alto Networks certificate to encrypt your API Key.
With PAN-OS and Panorama, you can encrypt the PAN-OS API Key using a device
certificate when you retrieve your API key. This feature
utilizes the PAN-OS device certificate management function to encrypt the API key
for enhanced protection.
When using the PAN-OS API key certificate with Panorama:
- If you generate the API key from Panorama, a secure connection will persist from Panorama to the managed firewalls.
- The Expire all API Keys button will only affect the local device the API key was generated with.
- Generate a CertificateFor the key generation Algorithm, select an RSA value at or above 3,072 bits.
- All API Certificates used for API key encryption must meet a minimum threshold of 3,072 bits.
- Each API Key Certificate must be a self-signed CA Certificate.
- You must place the Certificate in a shared location.
- Edit the DeviceSetupManagementAuthentication settings.
- Select the API Key Certificate field to select the
certificate you generated in step 1.As a best practice, Palo Alto Networks recommends you select a short API Key Lifetime.
- Commit the changes for the API Key Certificate to begin
encrypting the API key.It's important to note that when you start encrypting API keys with a certificate:
- The firewall will invalidate all existing API keys.
- If you start managing a firewall with Panorama, Panorama will invalidate any existing API key or keys as the Panorama key will take precedence.
- Get Your API Key. The newly generated API Key is encrypted using the certificate.PAN-OS invalidates generated API keys, when:
- The user who generated the API key is deleted.
- The user's password changes.
- The token lifetime elapses.
- The API Key certificate is reconfigured
- The API Key certificate expires.
- PAN-OS can't decrypt the API key.