Manage Certificates (API)
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Upgrade a Firewall to the Latest PAN-OS Version (API)
- Show and Manage GlobalProtect Users (API)
- Query a Firewall from Panorama (API)
- Upgrade PAN-OS on Multiple HA Firewalls through Panorama (API)
- Automatically Check for and Install Content Updates (API)
- Enforce Policy using External Dynamic Lists and AutoFocus Artifacts (API)
- Configure SAML 2.0 Authentication (API)
- Quarantine Compromised Devices (API)
- Manage Certificates (API)
-
- Asynchronous and Synchronous Requests to the PAN-OS XML API
- Run Operational Mode Commands (API)
- Apply User-ID Mapping and Populate Dynamic Groups (API)
- Get Version Info (API)
-
- PAN-OS REST API
- Access the PAN-OS REST API
- Resource Methods and Query Parameters (REST API)
- PAN-OS REST API Request and Response Structure
- PAN-OS REST API Error Codes
- Work With Objects (REST API)
- Create a Security Policy Rule (REST API)
- Work with Policy Rules on Panorama (REST API)
- Create a Tag (REST API)
- Configure a Security Zone (REST API)
- Configure an SD-WAN Interface (REST API)
- Create an SD-WAN Policy Pre Rule (REST API)
- Configure an Ethernet Interface (REST API)
- Update a Virtual Router (REST API)
- Work With Decryption (APIs)
Manage Certificates (API)
Manage certificates using the Palo Alto Networks XML
API.
Using the XML API, you can automate the management
workflow for certificates. You can programatically:
-
Generate self-signed certificates
-
Configure Certificate Authorities (CAs) to sign certificates
-
Set certificates as Trusted Root CAs, Forward Trust Certificates, and Forward Untrust Certificates
-
Renew and revoke certificates
-
Bulk import and export certificates
For more
information about the use of certificates on Palo Alto Networks
Firewalls, see:
Keys and Certificates.
- Send
a request to generate a self-signed certificate.With the XML API, you can generate certificates, flag the certificates as self-signed, and set cryptographic and certificate attributes in a single request.The following example creates a certificate named SSCert with an IP address of 10.2.1.1 using RSA as the cryptographic algorithm. This certificate is set as a self-signed certificate using the element <ca> set to yes:curl -X GET "<firewall>/api/?key <apikey>&type=op&cmd=<request><certificate><generate><algorithm><RSA><rsa-nbits>512</rsa-nbits></RSA></algorithm><certificate-name>SSCert</certificate-name><name>10.2.1.1</name><ca>yes</ca></generate></certificate></request>"
- Send a request to set the certificate you created above as a trusted root certificate and a forward trust certificate.
The following requests use the configuration command and the xpath of the certificate you generated to set the certificate as a forward trust certificate and as a trusted root certificate.curl -X GET "<firewall>/api/?key=<apikey>&type=config&action=set&xpath=/config/shared/ssl-decrypt&element=<trusted-root-CA><member>SSCert</member></trusted-root-CA>"curl -X GET "/api/?key=<apikey>&type=config&action=set&xpath=/config/shared/ssl-decrypt&element=<forward-trust-certificate><rsa>SSCert</rsa></forward-trust-certificate>"`- Send a request to create a subordinate certificate using the self-signed certificate you generated.
The following request creates a subordinate of the SSCert that you can use to get more granular control in the chain of trust.curl -X GET "<firewall>/api/?key=<apikey>&type=op&cmd=<request><certificate><generate><algorithm><RSA><rsa-nbits>512</rsa-nbits></RSA></algorithm><certificate-name>subordinate</certificate-name><name>subordinateip</name><digest>sha256</digest><signed-by>SSCert</signed-by></generate></certificate></request>"- Send a request to export certificates locally so that you can install the certificates on your clients.
The following request downloads the self-signed certificate as SSCert.pem.curl -o SSCert.pem "<firewall>/api/?key=<apikey>&type=op&cmd=<download><certificate><certificate-name>SSCert</certificate-name><format>pem</format></certificate></download>"- Import the certificates to other firewalls.
The following request uploads the SSCert certificate to a firewall.curl -F "file=@<path of the file>" "<firewall>/api/?key=<apikey>&type=import&category=certificate&certificate-name=SSCert&format=pem"Alternatively, to import both the certificate and private key to your firewalls at the same time, use the following command:curl -F "file=@<path of the file>" "<firewall>/api?key=<apikey>type=import&category=keypair&certificate-name=SSCert.pem.txt&format=pem&passphrase= secretphraseTo import a certificate to a specific template and device on Panorama, use the following command:curl -F "file=@<path of the file>" "<firewall>/api/?key=<apikey>&type=import&category=certificate&certificate-name=SSCert&format=pem&target-tpl=template&target-tpl-vsys=vsys1"- Renew and revoke certificates.
The following request revokes the subordinate certificates.curl - X GET "<firewall>/api/?key=<apikey>&type=op&cmd=<request><certificate><revoke><certificate-name>subordinate</certificate-name></revoke></request></certificate>"The following request renews the self-signed root certificate that you generated.curl - X GET "<firewall>/api/?key=<apikey>&type=op&cmd=<request><certificate><renew><certificate-name>SSCert</certificate-name><days-till-expiry>365</days-till-expiry></renew></certificate></request>"- Send a request to commit the changes.
curl - X GET "<firewall>/api/?type=commit&cmd=<commit></commit>&key=<apikey>" - Send a request to set the certificate you created above as a trusted root certificate and a forward trust certificate.