How to generate a certificate and get it signed by a CA certificate using XML API
13313
Created On 12/04/19 04:17 AM - Last Modified 07/03/24 02:14 AM
Objective
This article provides XML API to generate a user/server certificate and get it signed by a CA certificate on Palo Alto Networks firewall.
Environment
In scenarios when admin needs to generate multiple user/server certificates, the API can be used in a script to automate the process of certificate generation.
As a prerequisite, CA certificate is needed on the firewall.
In the below sample, test-CA is used to act as CA to sign user/server certificates:
Procedure
The API call needed to generate a certificate with name "test-server" and get it signed by a CA certificate "test-CA" is as follows:
https://x.x.x.x/api/?type=op&cmd=<request><certificate><generate><certificate-name>test-server</certificate-name><name>test-server</name><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><digest>sha256</digest><ca>no</ca><signed-by>test-CA</signed-by></generate></certificate></request>&key=api-key
After a successful execution browser returns an output similar to below:
On the WEB GUI, a chain of the certificate is also seen:
The digest and rsa-nbits values can be changed as per the business needs.
In order to export the user/server certificate in pkcs12 format with passphrase, use the below API:
https://x.x.x.x/api/?type=export&category=certificate&certificate-name=test-server&format=pkcs12&include-key=yes&passphrase=passphrase-value&key=api-key
Additional Information
In order to obtain the key (referred as api-key in the previous section) to execute the above APIs, use the below query:
https://x.x.x.x/api/?type=keygen&user=xxxxx&password=xxxxx
Successful execution will provide the API key in an output similar to below: