So, silly me I manage my cert in panorama, so when my int CA for my management ports came up for renewal, i renewed, and pushed out to all the devices ... except for my panorama :(
now I have cli access only.
I have found the location
but when it comes time to add my multiline public key ... it will not take multiline entries ... how do I enter a multi line.
My god how hard .. there is an open quote that doesn't work. or <space>\ that doesn't work.
any help would be welcome ...
Ok, am going to ask the obvious and dumb question first.
Why not, temporarily, disable the need to use a Cert to manage the Panorama?
You have CLI access, remove the line that references the cert.
for me, that line is
set deviceconfig system ssl-tls-service-profile SecureGUI (SecureGui is my cert profile)
delete that line. commit.
Now the Panorama would not be looking for a valid cert to manage on it.
Certainly will keep an eye on this message response, but should not be too difficult.
If I am misunderstanding the issue, please provide greater detail. :P
Good tip Steve, probably the easiest option.
If pasting over CLI still though you might need "set cli scripting-mode on".
Good call I was going to try removing the ssl from there. but delete a ssl cert how will it present ssl traffic then.
I was thinking maybe to allow port 80 access .
as for scripting mode ... hadn't tried that. is that how you insert certs ?
I will give it a go
Scripting mode is recommended when doing multiple lines of commands via CLI. I’m not sure if it is a cure for your issue though.
As for the cert requirement. Is it just that the certificate is no longer trusted and your browser won’t allow a connection? The cert is still there just expired right?
You can generate a new Panorama web-server certificate with the command:
run request certificate generate for-use-by panorama-server
More detail on what you are trying would be helpful.
Also agree that just enabling HTTP management would be a quick way in. Deleting the SSL service profile probably won’t even commit since it would be referenced by the configured features to be using it.
*** Another option would be to SCP export the configuration to another device and replace the existing certificate in the XML configuration file and reimport.
No, the intermediary CA was expired.
I recently renews the int ca and the management cert.
but forgot to update the int ca on panorama and I did upgrade the cert.
scp .. yes i found this in my google'ing
I think the crux of the question is how to do cert management from CLI
it looks like the only way to import a cert properly is to scp in.
the set commands don't work !
To get the proper syntax of the configuration including all the carriage returns etc. do the following to get the configuration output in set format. Then you can take just that section of the config to paste into Notepad++ or SublimeText so that you get the correct line requirements such as right after the BEGIN CERTIFICATE --- line.
admin@M100-01(primary-active)> set cli config-output-format set
admin@M100-01(primary-active)> set cli scripting-mode on
Entering configuration mode
The private key is a single line but the public key is fixed width.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!