topic Re: Automate adding certificate to TS agent in General Topics

Automate adding certificate to TS agent

CHARRIER — Tue, 31 Jan 2023 16:57:23 GMT

Hello, I am trying to automate the configuration of the certificate part of the ts agent . My problem is to automate adding the certificate private key password in the ts agent.

I have the certificate part filled in with registry keys but i have this error message when i try to launch the PanTaservice :

01/31/23 17:18:24[Error 341]: Query password read error: 2!!!!
01/31/23 17:18:24[Error 665]: Unable to retrieve password from cred store!!!!
01/31/23 17:18:24[Error 576]: Start service fails due to start link failure!!!!
01/31/23 17:18:24[Error 409]: Start error -1!!
01/31/23 17:18:24[Info 118]: Stop driver succeeds.
01/31/23 17:18:24[Info 176]: Service stopped.

Anyone know how to do it? and where is stored this password ?

Re: Automate adding certificate to TS agent

JayGolf — Tue, 31 Jan 2023 20:18:50 GMT

Hi @CHARRIER ,

Was the certificate you used generated from the firewall or from internal PKI?

Re: Automate adding certificate to TS agent

CHARRIER — Wed, 01 Feb 2023 07:08:56 GMT

Hello @JayGolf

The certificate is generated by the internal PKI.

Re: Automate adding certificate to TS agent

CHARRIER — Wed, 01 Feb 2023 14:10:53 GMT

I found the solution, i see 6 registry key are created in HKLM/SOFTWARE\Palo Alto Networks\TS Agent\Conf :

TSAgentCNALTNAME

TSAgentCNEXPIRY

TSAgentCNISSUER

TSAgentCNNAME

TSAgentCNSUBJECT

And TSAgentSSL, that the key used to add the password certificate.

I get the value for the key TSAgentSSL with Process Monitor application.

This registry key is deleted when the service boot. that's why i doesn't see this key before.

I add the creation of this registry key in the script and the service is booting now

Re: Automate adding certificate to TS agent

JayGolf — Thu, 02 Feb 2023 18:13:19 GMT

Thanks for sharing @CHARRIER !