How to check certificate expiration date from API or CLI?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to check certificate expiration date from API or CLI?

L0 Member

Hello all,

 

Do you know if it is possible to check certificate expiration date from API or CLI for Firewall and Panorama.

Ideally also get all the certificate details. I haven't found a way.

 

Thanks

 

23 REPLIES 23

L5 Sessionator

@damom10 Thos certificates are managed/updated as part of PAN-OS, they are not part of the configuration unlike the other types of certificates mentioned previously in this thread.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Thanks Jummy.

Any idea how best to approach creating a solution to grab those certificates and check for expiry. I'm using PowerShell and API at the moment but it seems like API isn't going to help me?

Maybe I need to use python?

L5 Sessionator

@damom10 Is there a reason why you want to check expiry of the CAs? How are you using them, why do you need to check them? In most use cases they are there to act just like the trusted CA list in your web browser, and I presume you would not check these, you expect your browser to manage them, and you expect PAN-OS to manage them too?

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi Jimmy,

thanks for your response.

I had a senior network engineer tell me we have several that are important for our VPN. But I am curious, if there is no need to monitor these, then I will mention it to him. If these generally manage themselves, then it sounds like there isn't a monitoring requirement.

Thanks, Jimmy. 

That's how I got what I wanted.  

1 - Get SSL/TLS service profiles   
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/ssl-tls-service-profile

2 - Get all certificates 
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/certificate

3 - Get a certificate by it's name 
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/certificate/entry[@name='cert-name']

4 - If certificate name is not important 
https://{{PaloaltoIP}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

Thanks for that information Fabio. It seems the only path we can use is /config, the certificates I need to reach are in vsys1

Hi @damom10, per you previous comment: "I had a senior network engineer tell me we have several that are important for our VPN. But I am curious, if there is no need to monitor these, then I will mention it to him. If these generally manage themselves, then it sounds like there isn't a monitoring requirement", I would check if you really need to build a solution to check expiry of the built-in default trusted CA certificates, because they do manage themselves, this is the responsibility of Palo Alto Networks through PAN-OS updates, and you can't add or remove certificates from this list, only disable/enable certificates in this list. I think the senior engineer may be referring to the certificates in the configuration, that is where you put your organisation's own certificates, the ones the organisation chooses to use for various tasks including VPNs.

 

Per the comment: "It seems the only path we can use is /config, the certificates I need to reach are in vsys1", all the config lives under this path, regardless of vsys. For certificates in the config for a specific vsys the NGFW xpath would be:

 

/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='{{vsys-name}}'/certificate/entry[@name='{{certificate-name}}']

 

Hope that helps.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

This is most helpful, I can't thank you enough Jimmy!

I can see my confusion now, the network engineer was referring to the device certificates, I just got confused as both cert tabs are side-by-side in vpan.

 

Thank you also for sharing the xpath, do you know if it has to be certificate specific? Ideally, I would want to write an invoke-webrequest via powershell and dump all the relevant certificates into a table with that one call, instead of calling each one.

 

Thanks again for all of your help.

L1 Bithead

I have used 2 different xpaths.

 

1. <show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

 

response is a string which is a little annoying.


And @FabioSouza recommendation
2 - Get all certificates
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/certificate

 

The response is great but the network engineer said the shared path will not represent the certs we have on vsys1.

Is this correct?

Thanks to Jimmy, I know how to view specific certificates on vsys1, but I would prefer a call that lists all in vsys1.

 

 

  • 25087 Views
  • 23 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!