10-01-2020 03:51 PM
I am trying to export a CSR via XML API as per this article and as per /debug output that I get when I perform the export via Web UI.
The request I run is as follows:
https://<fw-address>/api/?type=export&category=certificate&certificate-name=<cert-name>&format=pkcs10&include-key=no&key=<api_key>
However this does not quite work - I get an error message that says:
Failed to prepare CSR <cert-name> for export. PKCS10 format can only be used with CSRs and not certificates.
I have now run out of ideas what it does not like in the request. The article explicitely says - "You can use the example above to export a certificate signing request (CSR). If you do so, then specify the following two parameters as shown: format - pkcs10, include-key - no" and this is exactly what I am doing. The debug out for a succefull operation suggests the same syntax:
<request cmd="op" cookie="1001040547321532">
<operations xml="yes">
<download>
<certificate>
<certificate-name>cert-name</certificate-name>
<format>pkcs10</format>
<include-####censored 'key''####
[2020/10/01 23:06:58] user=1001040547321532
Response took 0.040s <response status="success"><result><content encoding="base64">
<---encoded csr goes here-->
]]></content></result></response>Has anybody has an idea about the correct format of the request?
10-02-2020 02:05 AM
Spoke to TAC (the engineer said he had been unable to reproduce), reproduced the issue for him, then we removed spaces from cert name and subject - the issue was gone, re-added the spaces - the issue did NOT re-occur. There must have been something else, very subtle, that trigerred the error. We'll keep playing with this and update this thread if manage to discover anything...
05-02-2022 06:58 AM
Hi guys,
I got the same error message trying to export the CSR for an existing certificate. My guess is that only works for CSR objects and not for certificates. Works fine for me to export just the CSR without a certificate.
- Create the CSR
https://{{PaloaltoIP}}/api?key={{key}}&type=op&cmd=<request><certificate><generate><certificate-name>test-server-1</certificate-name><name>test-server-1</name><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><digest>sha256</digest><ca>no</ca><signed-by>external</signed-by></generate></certificate></request>
- Export the CSR
https://{{PaloaltoIP}}/api?key={{key}}&type=export&category=certificate&certificate-name=test-server-1&include-key=no&format=pkcs10
Should it work for a certificate as well?
cheers.
09-12-2022 03:44 AM
Yes, it is the same API command to export a CSR as it is for a certificate, and the API command you posted @FabioSouza looks correct. Maybe there was something very subtle going on like the example above from @Nikolay-Matveev, so I recommend a TAC case to investigate further.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
