Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to check certificate expiration date from API or CLI?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to check certificate expiration date from API or CLI?

L0 Member

Hello all,

 

Do you know if it is possible to check certificate expiration date from API or CLI for Firewall and Panorama.

Ideally also get all the certificate details. I haven't found a way.

 

Thanks

 

1 accepted solution

Accepted Solutions

And the equivalent XML API call:

 

https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

23 REPLIES 23

L3 Networker

Hi there,

On the firewall CLI try show sslmgr-store config-certificate-info will give you certificate details including expiry dates.

 

cheers,

Seb.

Thank you.

Awesome, that's was exactly what I was looking for.

 

And the equivalent XML API call:

 

https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi,

I not found a sslmgr-store option on my panorama

Hi @efurlan, another method is to look at the config, such as this example API call:

https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate

 

The response includes the expiry (and begin) dates:

Screenshot 2021-12-07 at 10.56.33.png

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L5 Sessionator

You could also do the sslmgr command on a managed-firewall via Panorama:

https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>&target={{ngfw-serial-number}}

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Super helpful, thanks so much.

Led me on to the SDK:

https://pan-os-python.readthedocs.io/

Hi Jymmy, 

 

Thank you for the post, I'm using exactly what you posted but looks like it does not send the certificate's name in the response. Do you have any suggestions about how to get a list of SSL Certificates installed? 

 

Response:

<response status="success">
    <result>04D53E620DFF9346DA94C3F500D97B2:FF74AB87368B853C438879E050464F0CE84D5010
    serial number: 
        issuer: /C=CA/ST=ON/L=Ottawa/O=MyOrg/CN=Issuing CA
        issuer-subjecthash: FF74AB87368B85986969E050464F0CE84D5010
        issuer-keyhash: 
        db-type: V
        db-exp-date: 220409191416Z(Apr  9 19:14:16 2022 GMT)
        db-rev-date: ()
        db-serialno: 04D53E620097097A94C3F500D97B26unknown
        db-file: unknown
        db-name: /C=CA/ST=Ontario/O=myOrg/CN=xpto.com
        db-status: V
 
Regards, 
Fabio

L5 Sessionator

Hi @FabioSouza, which command are you using, how are you using it (Postman, curl, etc), and is it to Panorama or NGFW directly?

It looks like you are using the "sslmgr-store" command from earlier in the thread, but maybe try the config command later in the thread (here) which includes certificate names in the response.

https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate
Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Sharing a script that utilises the Python API for anyone that may be interested.

https://github.com/ip-life-net/palo-check-cert-expiry 

@JimmyHolland I have the same question actually but I'm wondering what values do I need to substitute for the values I underlined below:

 

https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate

L5 Sessionator

Hi @TigeRRR,

Good question. In my notation, anything inside {{ braces like this }} means replace with your own value.

 

  • [@name='localhost.localdomain'] stays the same, this is a static value the same on every device.
  • {{template-name}} is the name of your Panorama template where you are modifying certs or gathering cert info. My response was to someone asking about Panorama specifically.

Hope that helps?

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Thank you! I understood that it was to be your own values but I wasn't sure what it was referring to, what if this was to be pulled directly from a firewall and not Panorama?

L1 Bithead

Hi guys,

this is a really great thread and I thank you all for your inputs.

I'm currently trying to develop a certificate expiry monitoring solution for the 'default trusted certificate authorities'.

All the provided paths in this thread relate to the 'device certificates' only.

I believe I require a path that would access 'default trusted certificate authorities' on vsys1.

Could someone please point me in the right direction on how I could achieve this?

It's been a frustrating process thus far, so any direction will be much appreciated.

Thanks guys!

  • 1 accepted solution
  • 33015 Views
  • 23 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!