topic Re: Automating certificate import into Panorama (not a template) in Automation/API Discussions

Automating certificate import into Panorama (not a template)

ERolleman — Fri, 13 May 2022 17:36:05 GMT

I have importing a certificate into a template working:

curl -s -i -k -F -F "file=@{{cert_path}}" -X POST "https://panorama/?key={{api_key}}&type=import&category=keypair&certificate-name=letsencrypt_cert&format=pkcs12&passphrase={{password}}&target-tpl=CORE-SBO_ECS"

I assumed that importing the certificate into Panorama is that same except without the "&target-tpl=CORE-SBO_ECS" piece of the URL, however this does not appear to be that case. The command completes, however there is not certificate imported into Panorama.

curl -s -i -k -F "file=@{{cert_path}}" -X POST "https://panorama/?key={{api_key}}&type=import&category=keypair&certificate-name=letsencrypt_cert&format=pkcs12&passphrase={{password}}"

Side note: The script I am writing is for use with ansible. There is a PaloAlto ansible module, however it is not idempotent.

** For those like me that didn't know what idempotent means: If the configuration/file/object is already in place then no changes are made and ansible will report the task as OK. Instead, the PaloAlto ansible module always imports the certificate even if it is the same certificate and reports a change is made.

Re: Automating certificate import into Panorama (not a template)

Atkins69 — Mon, 16 May 2022 05:15:03 GMT

Check this out, this might help : https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-panorama/install-the-panorama-device-certificate/epayitonline

Re: Automating certificate import into Panorama (not a template)

ERolleman — Mon, 16 May 2022 14:19:01 GMT

Thank you for the suggestion, however it unfortunately does not help in my case. The certificate that I am importing is for the web interface HTTPS. I have a certificate from Lets Encrypt that I am trying to automate the deployment of to Panorama's to handle SSL for Panorama and a couple templates that will push the certificate to our PaltoAlto firewalls for the SSL on their web interfaces as well.

Re: Automating certificate import into Panorama (not a template)

summation — Mon, 23 May 2022 01:41:18 GMT

Should be treated same as importing a certificate directly to a firewall. This is the same as simply removing the target-tpl parameter. At least that's how it behaves for me running on 10.1 and 10.2.

Re: Automating certificate import into Panorama (not a template)

ERolleman — Tue, 24 May 2022 14:34:34 GMT

Thank you. I must have a typo or something some where then.