How to upload a certificate into a Panorama template using XML API?

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

How to upload a certificate into a Panorama template using XML API?

I'm trying to upload a set of SSL certificates into some templates on my Panorama using XML API. But I've not been able to find any documentation for doing that.

 

I'm able upload certificates for the Panorama, using APIs. But I also want to be able to upload certificates into specific firewall template configs that I have on the Panorama using API.

 

Appreciate any pointers here.

Highlighted
L0 Member

I am having the same issue.   I have a script that can do this process completely on the firewalls themselves as well as in Panorama, just not in Panorama templates.  This is where it is needed most.

 

Palo Alto API team has stated that they don't have enough interest to spend the time to add this feature. 

 

If you have any interest in the feature, please have your support team request it or "vote" on my existing feature request.

 

 

Highlighted
L2 Linker

@Spongerius @RandallLoux 

Did you succeed with this eventually? I need to do the same but struggle with uploading a cert even directly to the firewall. Can you share a snippet of code? API documentation is exteremely scarce in this regard... 

Highlighted
L2 Linker

Answering my own question for the record...

 

It appeared to be easy to upload a certificate directly to the firewall - it's just a matter of constructing a correctly formatted MIME message. It must be a POST request with Content-type header set to multipart/form-data; boundary=<random tag>, followed by Content-length  set to the length of the form data. Form data has to be constructed along these lines (Python):

form = '--'+<the_boundary_tag>+'\r\n'+'Content-Disposition: form-data; name="file"; filename="certificate.cer"\r\n'+'Content-Type: application/octet-stream\r\n\r\n'
form = form+cert_body+'\r\n'
form = form+'--'+<the_boundary_tag>+'--\r\n'

cert_body
here is a plain string with Base64/PEM-encoded certificate. Form data has also be encoded as UTF-8 before referencing from the actual request object. For example like this:

form_binary = form.encode('utf-8')
req = Request(url, form_binary)

URL in its turn may be constructed like
'https://'+fwAddress+'/api/?type=import&category=certificate&certificate-name='+quote(cert_name,safe='<>[]=')+'&format=pem&key='+key

I hope this help and saves somebody's time from reverse engineering Curl requests...(which is what I had to do to overcome the scarce API docs on this topic :))

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!