topic Re: CSR export via XML API in Automation/API Discussions

CSR export via XML API

Nikolay-Matveev — Thu, 01 Oct 2020 22:51:25 GMT

I am trying to export a CSR via XML API as per this article and as per /debug output that I get when I perform the export via Web UI.

The request I run is as follows:

https://<fw-address>/api/?type=export&category=certificate&certificate-name=<cert-name>&format=pkcs10&include-key=no&key=<api_key>

However this does not quite work - I get an error message that says:

Failed to prepare CSR <cert-name> for export. PKCS10 format can only be used with CSRs and not certificates.

I have now run out of ideas what it does not like in the request. The article explicitely says - "You can use the example above to export a certificate signing request (CSR). If you do so, then specify the following two parameters as shown: format - pkcs10, include-key - no" and this is exactly what I am doing. The debug out for a succefull operation suggests the same syntax:

<request cmd="op" cookie="1001040547321532">
  <operations xml="yes">
    <download>
      <certificate>
        <certificate-name>cert-name</certificate-name>
        <format>pkcs10</format>
        <include-####censored 'key''####
[2020/10/01 23:06:58] user=1001040547321532
Response took 0.040s <response status="success"><result><content encoding="base64">
<---encoded csr goes here-->
]]></content></result></response>

Has anybody has an idea about the correct format of the request?

Re: CSR export via XML API

Nikolay-Matveev — Fri, 02 Oct 2020 09:05:27 GMT

Spoke to TAC (the engineer said he had been unable to reproduce), reproduced the issue for him, then we removed spaces from cert name and subject - the issue was gone, re-added the spaces - the issue did NOT re-occur. There must have been something else, very subtle, that trigerred the error. We'll keep playing with this and update this thread if manage to discover anything...

Re: CSR export via XML API

FabioSouza — Mon, 02 May 2022 13:58:41 GMT

Hi guys,

I got the same error message trying to export the CSR for an existing certificate. My guess is that only works for CSR objects and not for certificates. Works fine for me to export just the CSR without a certificate.

- Create the CSR

https://{{PaloaltoIP}}/api?key={{key}}&type=op&cmd=<request><certificate><generate><certificate-name>test-server-1</certificate-name><name>test-server-1</name><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><digest>sha256</digest><ca>no</ca><signed-by>external</signed-by></generate></certificate></request>

- Export the CSR

https://{{PaloaltoIP}}/api?key={{key}}&type=export&category=certificate&certificate-name=test-server-1&include-key=no&format=pkcs10

Should it work for a certificate as well?

cheers.

Re: CSR export via XML API

JimmyHolland — Mon, 12 Sep 2022 10:44:53 GMT

Yes, it is the same API command to export a CSR as it is for a certificate, and the API command you posted @FabioSouza looks correct. Maybe there was something very subtle going on like the example above from @Nikolay-Matveev, so I recommend a TAC case to investigate further.