topic SSL/TLS Service Profile - Automate Certificate Replacement in General Topics

SSL/TLS Service Profile - Automate Certificate Replacement

bgre033 — Tue, 06 Jun 2023 22:39:42 GMT

Hi,

I'm looking for an automatic way to update the certificate in a SSL/TLS Service Profile (which forms a part of the certificate replacement process). From what I can find, steps 1 and 2 can be automated with Ansible (or XML API), but I cannot find a way to do this for step 3.

Import certificate (Ansible or XML API)
Update Decryption Profile (Ansible)
Update SSL/TLS Service Profile (?)

I had a look at Ansible, XML API and REST API, but I cannot find the relevant module/call. If possible, I would like to avoid SSH and keep it all HTTPS based.

Thanks for any help.

Re: SSL/TLS Service Profile - Automate Certificate Replacement

S.Cantwell — Mon, 12 Jun 2023 19:04:04 GMT

Howdy there.

I am running decryption on my FW, and I do not have any SSL-TLS profile being referenced.

Can you kindly explain your configuration, where a SSL TLS profile is called in Decryption.
It would help us, to provide better support to you.

Re: SSL/TLS Service Profile - Automate Certificate Replacement

bgre033 — Tue, 13 Jun 2023 07:42:09 GMT

Thanks for your reply, Steve.

I got this working using the panos_type_cmd module with the code below.

- name: Update SSL TLS profile cert

panos_type_cmd:

provider: '{{ palo_provider }}'

xpath: |

/config/shared/ssl-tls-service-profile/entry[@name='PROFILE-NAME']

element: |

<certificate>{{ cert_name }}</certificate>

Re: SSL/TLS Service Profile - Automate Certificate Replacement

bgre033 — Sun, 25 Jun 2023 07:32:25 GMT

I have added my playbook to Github.

https://github.com/bgre033/paloalto-panos-certificate-renew-with-ansible