API calls for exporting and importing certificates in a specific template on Panorama
1800
Created On 03/28/25 09:50 AM - Last Modified 08/07/25 03:31 AM
Symptom
- API calls for automating import, export and renewal of certificates on Panorama
- The certificates can be in specific templates for Firewalls managed by Panorama
Environment
- Panorama managed Firewalls
- Supported PAN-OS
- API
- Certificates in template
Cause
Customer requires specific APIs to enhance their certificate renewal process to automate the process for large firewall deployments.
Resolution
- The procedure tested is given below.
- We request you to test this procedure in a lab environment before using it in production, since the names of the virtual systems and templates, as well as the certificate name, can vary.
- Set the target vsys :-
- https://10.XX.XX.XX/api?type=op&cmd=<set><system><setting><target><template><name>TPL1</name><vsys>vsys1</vsys></template></target></setting></system></set>&key=
- TPL1 is the name of the template
- vsys1 is the name of the vsys
- Generate a CSR :-
- https://10.XX.XX.XX/api?type=op&cmd=<request><certificate><generate><certificate-name>apicert</certificate-name><name>testing</name><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><digest>sha256</digest><signed-by>external</signed-by><ca>no</ca></generate></certificate></request>&key=
- apicert is the name of the certificate
- testing is the CN
- Export the CSR :-
- https://10.XX.XX.XX/api?type=export&category=certificate&certificate-name=apicert&format=pkcs10&include-key=no&key=
- Import the signed certificate :-
- %curl -F file=@./cert_test123.crt 'https://10.XX.XX.XX/api?type=import&category=certificate&certificate-name=apicert.crt&format=pem&key=' -k
- file=@<path of the cert file>
Additional Information