topic Re: Fighting the cli ... sigh - how to import a cert via the cli in General Topics

Fighting the cli ... sigh - how to import a cert via the cli

Alex_Samad — Mon, 24 Jun 2019 01:55:34 GMT

So, silly me I manage my cert in panorama, so when my int CA for my management ports came up for renewal, i renewed, and pushed out to all the devices ... except for my panorama 😞

now I have cli access only.

I have found the location

configure

panorama certificate

but when it comes time to add my multiline public key ... it will not take multiline entries ... how do I enter a multi line.

My god how hard .. there is an open quote that doesn't work. or <space>\ that doesn't work.

any help would be welcome ...

Re: Fighting the cli ... sigh - how to import a cert via the cli

S.Cantwell — Mon, 24 Jun 2019 20:56:26 GMT

Ok, am going to ask the obvious and dumb question first.

Why not, temporarily, disable the need to use a Cert to manage the Panorama?

You have CLI access, remove the line that references the cert.

for me, that line is

set deviceconfig system ssl-tls-service-profile SecureGUI (SecureGui is my cert profile)

delete that line. commit.

Now the Panorama would not be looking for a valid cert to manage on it.

Certainly will keep an eye on this message response, but should not be too difficult.

If I am misunderstanding the issue, please provide greater detail. 😛

Re: Fighting the cli ... sigh - how to import a cert via the cli

bspilde — Mon, 24 Jun 2019 21:45:07 GMT

Good tip Steve, probably the easiest option.

If pasting over CLI still though you might need "set cli scripting-mode on".

Re: Fighting the cli ... sigh - how to import a cert via the cli

Alex_Samad — Mon, 24 Jun 2019 22:03:16 GMT

Good call I was going to try removing the ssl from there. but delete a ssl cert how will it present ssl traffic then.

I was thinking maybe to allow port 80 access .

as for scripting mode ... hadn't tried that. is that how you insert certs ?

I will give it a go

Re: Fighting the cli ... sigh - how to import a cert via the cli

bspilde — Mon, 24 Jun 2019 22:40:58 GMT

Scripting mode is recommended when doing multiple lines of commands via CLI. I’m not sure if it is a cure for your issue though.

As for the cert requirement. Is it just that the certificate is no longer trusted and your browser won’t allow a connection? The cert is still there just expired right?

You can generate a new Panorama web-server certificate with the command:

run request certificate generate for-use-by panorama-server

More detail on what you are trying would be helpful.

Also agree that just enabling HTTP management would be a quick way in. Deleting the SSL service profile probably won’t even commit since it would be referenced by the configured features to be using it.

*** Another option would be to SCP export the configuration to another device and replace the existing certificate in the XML configuration file and reimport.

Re: Fighting the cli ... sigh - how to import a cert via the cli

Alex_Samad — Mon, 24 Jun 2019 22:45:22 GMT

No, the intermediary CA was expired.

I recently renews the int ca and the management cert.

but forgot to update the int ca on panorama and I did upgrade the cert.

scp .. yes i found this in my google'ing

I think the crux of the question is how to do cert management from CLI

it looks like the only way to import a cert properly is to scp in.

the set commands don't work !

Re: Fighting the cli ... sigh - how to import a cert via the cli

bspilde — Mon, 24 Jun 2019 22:52:31 GMT

To get the proper syntax of the configuration including all the carriage returns etc. do the following to get the configuration output in set format. Then you can take just that section of the config to paste into Notepad++ or SublimeText so that you get the correct line requirements such as right after the BEGIN CERTIFICATE --- line.

admin@M100-01(primary-active)> set cli config-output-format set

admin@M100-01(primary-active)> set cli scripting-mode on

admin@M100-01(primary-active)> configure

Entering configuration mode

[edit]

admin@M100-01(primary-active)# show

The private key is a single line but the public key is fixed width.

Re: Fighting the cli ... sigh - how to import a cert via the cli

bspilde — Mon, 24 Jun 2019 22:56:28 GMT

Shoot! Ok, good to know. If you have successful steps please post.

Re: Fighting the cli ... sigh - how to import a cert via the cli

Alex_Samad — Thu, 27 Jun 2019 04:27:13 GMT

This is what i did - set show and copy paste.

it doesn't work.

Re: Fighting the cli ... sigh - how to import a cert via the cli

GregDetweiler — Wed, 26 Feb 2020 19:58:06 GMT

I know this is old, but I was struggling with it as well. The advice from here (CTRL-V followed by CTRL-M at the end of each line) worked:

https://www.reddit.com/r/paloaltonetworks/comments/4ojbsh/cli_assistance_with_banner_text/