How to check certificate expiration date from API or CLI?

cancel
Showing results for 
Search instead for 
Did you mean: 

How to check certificate expiration date from API or CLI?

L0 Member

Hello all,

 

Do you know if it is possible to check certificate expiration date from API or CLI for Firewall and Panorama.

Ideally also get all the certificate details. I haven't found a way.

 

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions

And the equivalent XML API call:

 

https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

23 REPLIES 23

L3 Networker

Hi there,

On the firewall CLI try show sslmgr-store config-certificate-info will give you certificate details including expiry dates.

 

cheers,

Seb.

Thank you.

Awesome, that's was exactly what I was looking for.

 

And the equivalent XML API call:

 

https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi,

I not found a sslmgr-store option on my panorama

Hi @efurlan, another method is to look at the config, such as this example API call:

https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate

 

The response includes the expiry (and begin) dates:

Screenshot 2021-12-07 at 10.56.33.png

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L4 Transporter

You could also do the sslmgr command on a managed-firewall via Panorama:

https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>&target={{ngfw-serial-number}}

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Super helpful, thanks so much.

Led me on to the SDK:

https://pan-os-python.readthedocs.io/

Hi Jymmy, 

 

Thank you for the post, I'm using exactly what you posted but looks like it does not send the certificate's name in the response. Do you have any suggestions about how to get a list of SSL Certificates installed? 

 

Response:

<response status="success">
    <result>04D53E620DFF9346DA94C3F500D97B2:FF74AB87368B853C438879E050464F0CE84D5010
    serial number: 
        issuer: /C=CA/ST=ON/L=Ottawa/O=MyOrg/CN=Issuing CA
        issuer-subjecthash: FF74AB87368B85986969E050464F0CE84D5010
        issuer-keyhash: 
        db-type: V
        db-exp-date: 220409191416Z(Apr  9 19:14:16 2022 GMT)
        db-rev-date: ()
        db-serialno: 04D53E620097097A94C3F500D97B26unknown
        db-file: unknown
        db-name: /C=CA/ST=Ontario/O=myOrg/CN=xpto.com
        db-status: V
 
Regards, 
Fabio

L4 Transporter

Hi @FabioSouza, which command are you using, how are you using it (Postman, curl, etc), and is it to Panorama or NGFW directly?

It looks like you are using the "sslmgr-store" command from earlier in the thread, but maybe try the config command later in the thread (here) which includes certificate names in the response.

https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate
Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!