https://live.paloaltonetworks.com/t5/automation-api-discussions/xml-api-powershell-importing-public-wildcard-pkcs12-certificates/m-p/519561#M3225 <P><SPAN>I'm trying to automate importing public wildcard pkcs12 certificates with passphrase into Palo Altos with XML API and powershell.&nbsp;</SPAN></P><P><SPAN>Importing the cert in the&nbsp; web gui works fine, I give it a name, browse to the .pfx file, select format&nbsp;pkcs12, and enter and confirm the passphrase. Great! And then I can create other profiles and reference that cert.</SPAN></P><P>However, I need to automate this import.</P><P>Following the instructions on&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-certificates-api" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-certificates-api</A><BR /><BR /><SPAN>here's what I do in powershell :</SPAN></P><P><BR /><SPAN>$certFile = "wildcard.pfx"</SPAN><BR /><SPAN>$passPhrase = "xxxxx"</SPAN><BR /><SPAN>$certName="WILDCARD-CERT"</SPAN></P><P>$WANIP = "65.65.65.6</P><P>$apikey = "yyyyyyy"</P><P><BR /><SPAN>$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&amp;type=import&amp;category=keypair&amp;certificate-name=$certName&amp;format=pkcs12&amp;passphrase=$passPhrase"</SPAN></P><P>&nbsp;</P><P>within powershell I call&nbsp;<SPAN>C:\Windows\System32\curl.exe because "curl" on powershell is just an alias for Invoke-webrequest (which by the way is my preferred way of call the PanOS API)</SPAN></P><P><BR /><SPAN>C:\Windows\System32\curl.exe -F "file=@$certFile" $apiurl</SPAN><BR /><SPAN>the result is:</SPAN><BR /><BR /><SPAN>curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.</SPAN><BR /><SPAN>More details here:&nbsp;</SPAN><A href="https://curl.se/docs/sslcerts.html" target="_blank" rel="noopener">https://curl.se/docs/sslcerts.html</A><BR /><BR /><SPAN>curl failed to verify the legitimacy of the server and therefore could not</SPAN><BR /><SPAN>establish a secure connection to it. To learn more about this situation and</SPAN><BR /><SPAN>how to fix it, please visit the web page mentioned above.</SPAN><BR /><BR /><SPAN>If I use -k for insecure,</SPAN><BR /><SPAN>C:\Windows\System32\curl.exe -k -F "file=@$certFile" $apiurl</SPAN><BR /><BR /><SPAN>the result is :</SPAN><BR /><SPAN>&lt;response status="error"&gt;&lt;msg&gt;&lt;line&gt;Import of certificate and private-key "WILDCARD-CERT" failed. Failed to extract certificate&lt;/line&gt;&lt;/msg&gt;&lt;/response&gt;</SPAN><BR /><BR /><SPAN>However, as I said, it works just fine if I import it in the Palo Alto web gui.</SPAN><BR /><BR /><SPAN>any help would be appreciated.</SPAN></P> Fri, 28 Oct 2022 16:42:16 GMT RogerMccarrick 2022-10-28T16:42:16Z https://live.paloaltonetworks.com/t5/automation-api-discussions/xml-api-powershell-importing-public-wildcard-pkcs12-certificates/m-p/519561#M3225 <P><SPAN>I'm trying to automate importing public wildcard pkcs12 certificates with passphrase into Palo Altos with XML API and powershell.&nbsp;</SPAN></P><P><SPAN>Importing the cert in the&nbsp; web gui works fine, I give it a name, browse to the .pfx file, select format&nbsp;pkcs12, and enter and confirm the passphrase. Great! And then I can create other profiles and reference that cert.</SPAN></P><P>However, I need to automate this import.</P><P>Following the instructions on&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-certificates-api" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-certificates-api</A><BR /><BR /><SPAN>here's what I do in powershell :</SPAN></P><P><BR /><SPAN>$certFile = "wildcard.pfx"</SPAN><BR /><SPAN>$passPhrase = "xxxxx"</SPAN><BR /><SPAN>$certName="WILDCARD-CERT"</SPAN></P><P>$WANIP = "65.65.65.6</P><P>$apikey = "yyyyyyy"</P><P><BR /><SPAN>$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&amp;type=import&amp;category=keypair&amp;certificate-name=$certName&amp;format=pkcs12&amp;passphrase=$passPhrase"</SPAN></P><P>&nbsp;</P><P>within powershell I call&nbsp;<SPAN>C:\Windows\System32\curl.exe because "curl" on powershell is just an alias for Invoke-webrequest (which by the way is my preferred way of call the PanOS API)</SPAN></P><P><BR /><SPAN>C:\Windows\System32\curl.exe -F "file=@$certFile" $apiurl</SPAN><BR /><SPAN>the result is:</SPAN><BR /><BR /><SPAN>curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.</SPAN><BR /><SPAN>More details here:&nbsp;</SPAN><A href="https://curl.se/docs/sslcerts.html" target="_blank" rel="noopener">https://curl.se/docs/sslcerts.html</A><BR /><BR /><SPAN>curl failed to verify the legitimacy of the server and therefore could not</SPAN><BR /><SPAN>establish a secure connection to it. To learn more about this situation and</SPAN><BR /><SPAN>how to fix it, please visit the web page mentioned above.</SPAN><BR /><BR /><SPAN>If I use -k for insecure,</SPAN><BR /><SPAN>C:\Windows\System32\curl.exe -k -F "file=@$certFile" $apiurl</SPAN><BR /><BR /><SPAN>the result is :</SPAN><BR /><SPAN>&lt;response status="error"&gt;&lt;msg&gt;&lt;line&gt;Import of certificate and private-key "WILDCARD-CERT" failed. Failed to extract certificate&lt;/line&gt;&lt;/msg&gt;&lt;/response&gt;</SPAN><BR /><BR /><SPAN>However, as I said, it works just fine if I import it in the Palo Alto web gui.</SPAN><BR /><BR /><SPAN>any help would be appreciated.</SPAN></P> Fri, 28 Oct 2022 16:42:16 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/xml-api-powershell-importing-public-wildcard-pkcs12-certificates/m-p/519561#M3225 RogerMccarrick 2022-10-28T16:42:16Z https://live.paloaltonetworks.com/t5/automation-api-discussions/xml-api-powershell-importing-public-wildcard-pkcs12-certificates/m-p/519612#M3226 <P>I think I have a resolution.</P><P>I exported the cert from its original place, but this time as a BASE64 .pem file, exporting private key and using a passphrase.</P><P>Using the -k (insecure) with curl, the import was actually successful.</P><P>&nbsp;</P><P><SPAN>$certFile = "wildcard.pem"</SPAN></P><P><SPAN>$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&amp;type=import&amp;category=keypair&amp;certificate-name=$certName&amp;format=<STRONG>pem</STRONG>&amp;passphrase=$passPhrase"</SPAN></P><P>&nbsp;</P><P><SPAN>C:\Windows\System32\curl.exe -k -F "file=@$CertFile" $apiurl</SPAN></P><P>&nbsp;</P><P><SPAN>&lt;response status="success"&gt;&lt;result&gt;Successfully imported WILDCARD-CERT into candidate configuration&lt;/result&gt;&lt;/response&gt;</SPAN></P><P>&nbsp;</P><P>I do not know why the pkcs12 format doesn’t work. &nbsp;It seems that I can ask my end users to supply the cert in <STRONG>.pem</STRONG> format. This should work just fine.</P> Sat, 29 Oct 2022 18:46:48 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/xml-api-powershell-importing-public-wildcard-pkcs12-certificates/m-p/519612#M3226 RogerMccarrick 2022-10-29T18:46:48Z