05-21-2017 11:19 PM
I'm trying to upload a set of SSL certificates into some templates on my Panorama using XML API. But I've not been able to find any documentation for doing that.
I'm able upload certificates for the Panorama, using APIs. But I also want to be able to upload certificates into specific firewall template configs that I have on the Panorama using API.
Appreciate any pointers here.
02-14-2018 10:45 AM
I am having the same issue. I have a script that can do this process completely on the firewalls themselves as well as in Panorama, just not in Panorama templates. This is where it is needed most.
Palo Alto API team has stated that they don't have enough interest to spend the time to add this feature.
If you have any interest in the feature, please have your support team request it or "vote" on my existing feature request.
10-14-2020 02:12 AM
Did you succeed with this eventually? I need to do the same but struggle with uploading a cert even directly to the firewall. Can you share a snippet of code? API documentation is exteremely scarce in this regard...
10-21-2020 09:11 AM
Answering my own question for the record...
It appeared to be easy to upload a certificate directly to the firewall - it's just a matter of constructing a correctly formatted MIME message. It must be a POST request with Content-type header set to multipart/form-data; boundary=<random tag>, followed by Content-length set to the length of the form data. Form data has to be constructed along these lines (Python):
form = '--'+<the_boundary_tag>+'\r\n'+'Content-Disposition: form-data; name="file"; filename="certificate.cer"\r\n'+'Content-Type: application/octet-stream\r\n\r\n'
form = form+cert_body+'\r\n'
form = form+'--'+<the_boundary_tag>+'--\r\n'
cert_body here is a plain string with Base64/PEM-encoded certificate. Form data has also be encoded as UTF-8 before referencing from the actual request object. For example like this:
form_binary = form.encode('utf-8')
req = Request(url, form_binary)
URL in its turn may be constructed like
'https://'+fwAddress+'/api/?type=import&category=certificate&certificate-name='+quote(cert_name,safe='<>[]=')+'&format=pem&key='+key
I hope this help and saves somebody's time from reverse engineering Curl requests...(which is what I had to do to overcome the scarce API docs on this topic :))
11-10-2021 01:45 PM
I am literally trying to do this right now as I have to update all of the NOIP DDNS certs on like 40 firewalls. The cert is installed on the firewalls via panorama though in each device template exactly as you said. Well I guess there is no sense in wasting time looking for the answer to this problem anymore. Seems like the API is a logical tool for this exact thing!
11-12-2021 12:32 PM
For uploading a certificate to a template on Panorama, first set the target template with the first API call:
https://{{host}}/api?key={{key}}&type=op&cmd=<set><system><setting><target><template><name>{{template-name}}</name></template></target></setting></system></set>
Then upload the certificate with a second API call, where this API call includes the cert inside form-data (per Nikolay-Matveev's earlier post):
https://{{host}}/api/?key={{key}}&type=import&category=certificate&format=pem&certificate-name={{cert-name}}
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
