Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-17-2021 09:53 AM
Hello all,
Do you know if it is possible to check certificate expiration date from API or CLI for Firewall and Panorama.
Ideally also get all the certificate details. I haven't found a way.
Thanks
03-19-2021 09:14 AM
And the equivalent XML API call:
https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>
03-19-2021 03:34 AM
Hi there,
On the firewall CLI try show sslmgr-store config-certificate-info will give you certificate details including expiry dates.
cheers,
Seb.
03-19-2021 07:47 AM
Thank you.
Awesome, that's was exactly what I was looking for.
03-19-2021 09:14 AM
And the equivalent XML API call:
https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>
12-07-2021 02:03 AM
Hi,
I not found a sslmgr-store option on my panorama
12-07-2021 02:59 AM
Hi @efurlan, another method is to look at the config, such as this example API call:
https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate
The response includes the expiry (and begin) dates:
12-07-2021 03:08 AM
You could also do the sslmgr command on a managed-firewall via Panorama:
https://{{host}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>&target={{ngfw-serial-number}}
04-05-2022 07:33 AM
Hi Jymmy,
Thank you for the post, I'm using exactly what you posted but looks like it does not send the certificate's name in the response. Do you have any suggestions about how to get a list of SSL Certificates installed?
Response:
04-07-2022 01:10 AM
Hi @FabioSouza, which command are you using, how are you using it (Postman, curl, etc), and is it to Panorama or NGFW directly?
It looks like you are using the "sslmgr-store" command from earlier in the thread, but maybe try the config command later in the thread (here) which includes certificate names in the response.
https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate
04-07-2022 01:51 AM
Sharing a script that utilises the Python API for anyone that may be interested.
04-07-2022 09:30 AM
@JimmyHolland I have the same question actually but I'm wondering what values do I need to substitute for the values I underlined below:
https://{{host}}/api/?key={{key}}&type=config&action=get&xpath=/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='{{template-name}}']/config/shared/certificate
04-08-2022 05:06 AM
Hi @TigeRRR,
Good question. In my notation, anything inside {{ braces like this }} means replace with your own value.
Hope that helps?
04-08-2022 07:23 AM
Thank you! I understood that it was to be your own values but I wasn't sure what it was referring to, what if this was to be pulled directly from a firewall and not Panorama?
04-12-2022 05:50 PM
Hi guys,
this is a really great thread and I thank you all for your inputs.
I'm currently trying to develop a certificate expiry monitoring solution for the 'default trusted certificate authorities'.
All the provided paths in this thread relate to the 'device certificates' only.
I believe I require a path that would access 'default trusted certificate authorities' on vsys1.
Could someone please point me in the right direction on how I could achieve this?
It's been a frustrating process thus far, so any direction will be much appreciated.
Thanks guys!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
