This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to check certificate expiration date from API or CLI?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to check certificate expiration date from API or CLI?

Go to solution
juanochoa
L0 Member

‎03-17-2021 09:53 AM

Hello all,

 

Do you know if it is possible to check certificate expiration date from API or CLI for Firewall and Panorama.

Ideally also get all the certificate details. I haven't found a way.

 

Thanks

 

1 person had this problem.
0 Likes Likes
23 REPLIES 23

Go to solution
JimmyHolland
L5 Sessionator

‎04-13-2022 03:33 AM

@damom10 Thos certificates are managed/updated as part of PAN-OS, they are not part of the configuration unlike the other types of certificates mentioned previously in this thread.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Go to solution
damom10
L1 Bithead

‎04-13-2022 03:02 PM

Thanks Jummy.

Any idea how best to approach creating a solution to grab those certificates and check for expiry. I'm using PowerShell and API at the moment but it seems like API isn't going to help me?

Maybe I need to use python?

0 Likes Likes

Go to solution
JimmyHolland
L5 Sessionator

‎04-14-2022 01:58 AM

@damom10 Is there a reason why you want to check expiry of the CAs? How are you using them, why do you need to check them? In most use cases they are there to act just like the trusted CA list in your web browser, and I presume you would not check these, you expect your browser to manage them, and you expect PAN-OS to manage them too?

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes

Go to solution
damom10
L1 Bithead
In response to JimmyHolland

‎04-15-2022 01:57 AM

Hi Jimmy,

thanks for your response.

I had a senior network engineer tell me we have several that are important for our VPN. But I am curious, if there is no need to monitor these, then I will mention it to him. If these generally manage themselves, then it sounds like there isn't a monitoring requirement.

0 Likes Likes

Go to solution
FabioSouza
L1 Bithead
In response to JimmyHolland

‎04-15-2022 12:09 PM

Thanks, Jimmy. 

That's how I got what I wanted.  

1 - Get SSL/TLS service profiles   
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/ssl-tls-service-profile

2 - Get all certificates 
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/certificate

3 - Get a certificate by it's name 
https://{{PaloaltoIP}}/api/?key={{key}}&type=config&action=get&xpath=/config/shared/certificate/entry[@name='cert-name']

4 - If certificate name is not important 
https://{{PaloaltoIP}}/api?key={{key}}&type=op&cmd=<show><sslmgr-store><config-certificate-info></config-certificate-info></sslmgr-store></show>

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks