CSR export via XML API

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

CSR export via XML API

L2 Linker

I am trying to export a CSR via XML API as per this article and as per /debug output that I get when I perform the export via Web UI.

 

The request I run is as follows:

https://<fw-address>/api/?type=export&category=certificate&certificate-name=<cert-name>&format=pkcs10&include-key=no&key=<api_key>

 

However this does not quite work - I get an error message that says:

 

Failed to prepare CSR <cert-name> for export. PKCS10 format can only be used with CSRs and not certificates.

 

I have now run out of ideas what it does not like in the request. The article explicitely says - "You can use the example above to export a certificate signing request (CSR). If you do so, then specify the following two parameters as shown: format - pkcs10, include-key - no" and this is exactly what I am doing. The debug out for a succefull operation suggests the same syntax:

 

<request cmd="op" cookie="1001040547321532">
  <operations xml="yes">
    <download>
      <certificate>
        <certificate-name>cert-name</certificate-name>
        <format>pkcs10</format>
        <include-####censored 'key''####
[2020/10/01 23:06:58] user=1001040547321532
Response took 0.040s <response status="success"><result><content encoding="base64">
<---encoded csr goes here--> ]]></content></result></response>

Has anybody has an idea about the correct format of the request?

3 REPLIES 3

L2 Linker

Spoke to TAC (the engineer said he had been unable to reproduce), reproduced the issue for him, then we removed spaces from cert name and subject - the issue was gone, re-added the spaces - the issue did NOT re-occur. There must have been something else, very subtle, that trigerred the error. We'll keep playing with this and update this thread if manage to discover anything...

L1 Bithead

Hi guys, 

 

I got the same error message trying to export the CSR for an existing certificate. My guess is that only works for CSR objects and not for certificates. Works fine for me to export just the CSR without a certificate. 

 

- Create the CSR 

https://{{PaloaltoIP}}/api?key={{key}}&type=op&cmd=<request><certificate><generate><certificate-name>test-server-1</certificate-name><name>test-server-1</name><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><digest>sha256</digest><ca>no</ca><signed-by>external</signed-by></generate></certificate></request>

 

- Export the CSR

https://{{PaloaltoIP}}/api?key={{key}}&type=export&category=certificate&certificate-name=test-server-1&include-key=no&format=pkcs10

 

Should it work for a certificate as well?

 

cheers.

 

 

Yes, it is the same API command to export a CSR as it is for a certificate, and the API command you posted @FabioSouza looks correct. Maybe there was something very subtle going on like the example above from @Nikolay-Matveev, so I recommend a TAC case to investigate further.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 3218 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!