Generate an API Key Certificate
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Generate an API Key Certificate
How to use a Palo Alto Networks certificate to encrypt your API Key.
With PAN-OS and Panorama, you can encrypt the PAN-OS API Key using a device
certificate when you retrieve your API key. This feature
utilizes the PAN-OS device certificate management function to encrypt the API key
for enhanced protection.
When using the PAN-OS API key certificate with Panorama:
- If you generate the API key from Panorama, a secure connection will persist from Panorama to the managed firewalls.
- The Expire all API Keys button will only affect the local device the API key was generated with.
- Generate a CertificateFor the key generation Algorithm, select an RSA value at or above 3,072 bits.
- All API Certificates used for API key encryption must meet a minimum threshold of 3,072 bits.
- Each API Key Certificate must be a self-signed CA Certificate.
- You must place the Certificate in a shared location.
Edit the DeviceSetupManagementAuthentication settings.Select the API Key Certificate field to select the certificate you generated in step 1.As a best practice, Palo Alto Networks recommends you select a short API Key Lifetime.Commit the changes for the API Key Certificate to begin encrypting the API key.It's important to note that when you start encrypting API keys with a certificate:- The firewall will invalidate all existing API keys.
- If you start managing a firewall with Panorama, Panorama will invalidate any existing API key or keys as the Panorama key will take precedence.
Get Your API Key.The newly generated API Key is encrypted using the certificate.PAN-OS invalidates generated API keys, when:- The user who generated the API key is deleted.
- The user's password changes.
- The token lifetime elapses.
- The API Key certificate is reconfigured
- The API Key certificate expires.
- PAN-OS can't decrypt the API key.