https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/357275#M87757 <P>I have successfully loaded my device certificate and a CA certificate from the CLI - took some seraching for format of the certificate strings, but they're in there now.&nbsp;</P><P>One problem.&nbsp;</P><P>In a firewall I have previously set up I show (in set format) the certificate stanza:</P><P class="lia-indent-padding-left-30px">set shared certificate wanroot subject-hash ffffffff<BR />set shared certificate wanroot issuer-hash ffffffff<BR />set shared certificate wanroot not-valid-before "May 23 02:36:33 2020 GMT"<BR />set shared certificate wanroot issuer /CN=wanroot<BR />set shared certificate wanroot not-valid-after "May 18 02:36:33 2040 GMT"<BR />set shared certificate wanroot common-name wanroot<BR />set shared certificate wanroot expiry-epoch 2220921393<BR />set shared certificate wanroot ca yes<BR />set shared certificate wanroot subject /CN=wanroot<BR />set shared certificate wanroot public-key "-----BEGIN CERTIFICATE-----[blahblahblah]-----END CERTIFICATE-----"<BR />set shared certificate wanroot algorithm EC</P><P>&nbsp;</P><P>I get an error entering the line "set shared certificate wanroot ca yes" - Invalid syntax.</P><P>&nbsp;</P><P>What is the correct way to declare a certificate a CA certificate from the CLI?</P><P>&nbsp;</P><P>--Matthew</P> Tue, 20 Oct 2020 04:27:07 GMT MatthewSabin 2020-10-20T04:27:07Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/357275#M87757 <P>I have successfully loaded my device certificate and a CA certificate from the CLI - took some seraching for format of the certificate strings, but they're in there now.&nbsp;</P><P>One problem.&nbsp;</P><P>In a firewall I have previously set up I show (in set format) the certificate stanza:</P><P class="lia-indent-padding-left-30px">set shared certificate wanroot subject-hash ffffffff<BR />set shared certificate wanroot issuer-hash ffffffff<BR />set shared certificate wanroot not-valid-before "May 23 02:36:33 2020 GMT"<BR />set shared certificate wanroot issuer /CN=wanroot<BR />set shared certificate wanroot not-valid-after "May 18 02:36:33 2040 GMT"<BR />set shared certificate wanroot common-name wanroot<BR />set shared certificate wanroot expiry-epoch 2220921393<BR />set shared certificate wanroot ca yes<BR />set shared certificate wanroot subject /CN=wanroot<BR />set shared certificate wanroot public-key "-----BEGIN CERTIFICATE-----[blahblahblah]-----END CERTIFICATE-----"<BR />set shared certificate wanroot algorithm EC</P><P>&nbsp;</P><P>I get an error entering the line "set shared certificate wanroot ca yes" - Invalid syntax.</P><P>&nbsp;</P><P>What is the correct way to declare a certificate a CA certificate from the CLI?</P><P>&nbsp;</P><P>--Matthew</P> Tue, 20 Oct 2020 04:27:07 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/357275#M87757 MatthewSabin 2020-10-20T04:27:07Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/358027#M87836 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/58201">@MatthewSabin</a> ,</P> <P>&nbsp;</P> <P>I was testing these commands in my lab but the following isn't a valid CLI syntax anymore (maybe it used to be in a previous PAN-OS) :</P> <P>set shared certificate &lt;name&gt; ca yes</P> <P>&nbsp;</P> <P>The one command that comes close is using certificate-profile but I'm guessing that's not what you're looking for ? :</P> <P>set shared certificate-profile &lt;name&gt; CA </P> <P>&nbsp;</P> <P>I wasn't able to find anything else through CLI</P> <P>&nbsp;</P> <P>Maybe someone else has an idea ?</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 22 Oct 2020 08:02:34 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/358027#M87836 kiwi 2020-10-22T08:02:34Z https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/360529#M88107 <P>Thanks for the tip, but it turns out that my problem wasn't about syntax but method.</P><P>Pasting all of the parts of a certificate into the configuration and comitting doesn't actually "install" a certificate, or so I've learned.</P><P>Rather than pasting it in, TAC informs me that I must exit configuration mode and import the certificate as below:</P><LI-CODE lang="markup">scp import certificate source-ip &lt;scp server IP&gt; remote-port &lt;scp server port&gt; from &lt;user&gt;@&lt;scp server&gt;:&lt;path&gt;&lt;filename&gt; format &lt;pem|pkcs12&gt; [passphrase &lt;pass phrase&gt;] certificate-name &lt;name&gt;</LI-CODE><P>Whe the certificate is imported, that invalid syntax line magically materializes in the show output.&nbsp;</P> Tue, 03 Nov 2020 20:15:07 GMT https://live.paloaltonetworks.com/t5/general-topics/certificate-ca-status-from-the-cli/m-p/360529#M88107 MatthewSabin 2020-11-03T20:15:07Z