The subject says it all...
This is a VM-100 with latest updates.
I can log in to CLI and I wonder how can I list all certificates, identify the expired cert and if possible renew it, all through CLI.
Thanks for any comments and a list of my options in this situation :-)
best regards Tor
Solved! Go to Solution.
Pull the running configuration from the CLI, identify the cert in question and update it directly through the CLI and push it back to the box, load it and commit.
FYI, an expired cert shouldn't block you from accessing the web interface; you should be able to bypass the warning and still access the GUI.
Thanks for the advice. I got the config and found the properties of the expired certificate, see below.
There are a total of 6 certificate entries (but only this is expired). Does it exist an how-to to renew or create a new cert? Thanks for comments on how I can proceed further by the CLI...
<entry name="MyCompanys CA 2017">
<not-valid-before>Jan 26 20:02:51 2017 GMT</not-valid-before>
<not-valid-after>Jun 10 20:02:51 2018 GMT</not-valid-after>
From the CLI:
> request certificate renew days-till-expiry <days> certificate-name <certname>
> request certificate generate
+ ca Make this a signing certificate
+ country-code Country code
+ days-till-expiry Number of days till expiry
+ digest Digest Algorithm
+ email Email address of the contact person
+ filename file name for the certificate
+ locality Locality
+ ocsp-responder-url ocsp-responder-url
+ organization Organization
+ signed-by signed-by
+ state State/province
* algorithm algorithm
* certificate-name Name of the certificate object
* name IP or FQDN to appear on the certificate
> alt-email Subject alternate Email type
> hostname Subject alternate name DNS type
> ip Subject alternate name IP type
> organization-unit Department
Seconding what @BPry has said - you should still be able to login to the webUI -even with an expired cert.
Thanks for all help. I see your last comment both of you, however our webinterface ceased to respond at the day the CA cert expired and I read about it here:
If you have other suggestions as to why our webinterface ceased to respond, I'm of course open to any help or troubleshooting tips.
Anyway, I tried to renew our current CA cert by this command:
VM-100> request certificate renew days-till-expiry 400 certificate-name "MyCompany CA 2017"
.. but got this error:
Server error : Failed to determine the issuer of certificate
This is a self signed cert, so which parameters do I apply to make it content ?
Thanks again :-)
best regards Tor
The article you sent actually mentions about the absence of a certificate entirely - rather than an expired one.
As per the article's recommendations, have you tried to assign the primary certificate from you chain to the webserver?
# set deviceconfig system web-server-certificate <certname>
Regarding this error, I have not seen this before and the steps you took to renew the self signed-CA via CLI command are correct. If trying the above is unsuccessful, could you give the management server a reboot? (debug software restart process management-server) What Pan-OS version are you running also?
Thanks a lot! The restarting of the management plane did the trick. After that we were able to relogin to the webinterface and I created a new cert and now all is well.
The 'disconnection' occurred at about same time as the https cert expired. I'm on version 8.1.1. Is it possible that the cert expiration caused the management plane to 'hang' so web interface access was disabled..?
Anyway, I'm just glad to be up and running again. Thanks again :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!