: Manage Certificates (API)
Focus
Focus

Manage Certificates (API)

Table of Contents

Manage Certificates (API)

Manage certificates using the Palo Alto Networks XML API.
Using the XML API, you can automate the management workflow for certificates. You can programatically:
  • Generate self-signed certificates
  • Configure Certificate Authorities (CAs) to sign certificates
  • Set certificates as Trusted Root CAs, Forward Trust Certificates, and Forward Untrust Certificates
  • Renew and revoke certificates
  • Bulk import and export certificates
For more information about the use of certificates on Palo Alto Networks Firewalls, see: Keys and Certificates.
  1. Send a request to generate a self-signed certificate.
    With the XML API, you can generate certificates, flag the certificates as self-signed, and set cryptographic and certificate attributes in a single request.
    The following example creates a certificate named SSCert with an IP address of 10.2.1.1 using RSA as the cryptographic algorithm. This certificate is set as a self-signed certificate using the element <ca> set to yes:
    curl -X GET "<firewall>/api/?key <apikey>&type=op&cmd=<request><certificate><generate><algorithm><RSA><rsa-nbits>512</rsa-nbits></RSA></algorithm><certificate-name>SSCert</certificate-name><name>10.2.1.1</name><ca>yes</ca></generate></certificate></request>"
  2. Send a request to set the certificate you created above as a trusted root certificate and a forward trust certificate.
    The following requests use the configuration command and the xpath of the certificate you generated to set the certificate as a forward trust certificate and as a trusted root certificate.
    curl -X GET "<firewall>/api/?key=<apikey>&type=config&action=set&xpath=/config/shared/ssl-decrypt&element=<trusted-root-CA><member>SSCert</member></trusted-root-CA>"
    curl -X GET "/api/?key=<apikey>&type=config&action=set&xpath=/config/shared/ssl-decrypt&element=<forward-trust-certificate><rsa>SSCert</rsa></forward-trust-certificate>"`
  3. Send a request to create a subordinate certificate using the self-signed certificate you generated.
    The following request creates a subordinate of the SSCert that you can use to get more granular control in the chain of trust.
    curl -X GET "<firewall>/api/?key=<apikey>&type=op&cmd=<request><certificate><generate><algorithm><RSA><rsa-nbits>512</rsa-nbits></RSA></algorithm><certificate-name>subordinate</certificate-name><name>subordinateip</name><digest>sha256</digest><signed-by>SSCert</signed-by></generate></certificate></request>"
  4. Send a request to export certificates locally so that you can install the certificates on your clients.
    The following request downloads the self-signed certificate as SSCert.pem.
    curl -o SSCert.pem "<firewall>/api/?key=<apikey>&type=op&cmd=<download><certificate><certificate-name>SSCert</certificate-name><format>pem</format></certificate></download>"
  5. Import the certificates to other firewalls.
    The following request uploads the SSCert certificate to a firewall.
    curl -F "file=@<path of the file>" "<firewall>/api/?key=<apikey>&type=import&category=certificate&certificate-name=SSCert&format=pem"
    Alternatively, to import both the certificate and private key to your firewalls at the same time, use the following command:
    curl -F "file=@<path of the file>" "<firewall>/api?key=<apikey>type=import&category=keypair&certificate-name=SSCert.pem.txt&format=pem&passphrase= secretphrase
    To import a certificate to a specific template and device on Panorama, use the following command:
    curl -F "file=@<path of the file>" "<firewall>/api/?key=<apikey>&type=import&category=certificate&certificate-name=SSCert&format=pem&target-tpl=template&target-tpl-vsys=vsys1"
  6. Renew and revoke certificates.
    The following request revokes the subordinate certificates.
    curl - X GET "<firewall>/api/?key=<apikey>&type=op&cmd=<request><certificate><revoke><certificate-name>subordinate</certificate-name></revoke></request></certificate>"
    The following request renews the self-signed root certificate that you generated.
    curl - X GET "<firewall>/api/?key=<apikey>&type=op&cmd=<request><certificate><renew><certificate-name>SSCert</certificate-name><days-till-expiry>365</days-till-expiry></renew></certificate></request>"
  7. Send a request to commit the changes.
    curl - X GET "<firewall>/api/?type=commit&cmd=<commit></commit>&key=<apikey>"