How to upload a certificate into a Panorama template using XML API?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to upload a certificate into a Panorama template using XML API?

L0 Member

I'm trying to upload a set of SSL certificates into some templates on my Panorama using XML API. But I've not been able to find any documentation for doing that.

 

I'm able upload certificates for the Panorama, using APIs. But I also want to be able to upload certificates into specific firewall template configs that I have on the Panorama using API.

 

Appreciate any pointers here.

5 REPLIES 5

L0 Member

I am having the same issue.   I have a script that can do this process completely on the firewalls themselves as well as in Panorama, just not in Panorama templates.  This is where it is needed most.

 

Palo Alto API team has stated that they don't have enough interest to spend the time to add this feature. 

 

If you have any interest in the feature, please have your support team request it or "vote" on my existing feature request.

 

 

L2 Linker

@Spongerius @RandallLoux 

Did you succeed with this eventually? I need to do the same but struggle with uploading a cert even directly to the firewall. Can you share a snippet of code? API documentation is exteremely scarce in this regard... 

Answering my own question for the record...

 

It appeared to be easy to upload a certificate directly to the firewall - it's just a matter of constructing a correctly formatted MIME message. It must be a POST request with Content-type header set to multipart/form-data; boundary=<random tag>, followed by Content-length  set to the length of the form data. Form data has to be constructed along these lines (Python):

form = '--'+<the_boundary_tag>+'\r\n'+'Content-Disposition: form-data; name="file"; filename="certificate.cer"\r\n'+'Content-Type: application/octet-stream\r\n\r\n'
form = form+cert_body+'\r\n'
form = form+'--'+<the_boundary_tag>+'--\r\n'

cert_body
here is a plain string with Base64/PEM-encoded certificate. Form data has also be encoded as UTF-8 before referencing from the actual request object. For example like this:

form_binary = form.encode('utf-8')
req = Request(url, form_binary)

URL in its turn may be constructed like
'https://'+fwAddress+'/api/?type=import&category=certificate&certificate-name='+quote(cert_name,safe='<>[]=')+'&format=pem&key='+key

I hope this help and saves somebody's time from reverse engineering Curl requests...(which is what I had to do to overcome the scarce API docs on this topic :))

I am literally trying to do this right now as I have to update all of the NOIP DDNS certs on like 40 firewalls. The cert is installed on the firewalls via panorama though in each device template exactly as you said. Well I guess there is no sense in wasting time looking for the answer to this problem anymore. Seems like the API is a logical tool for this exact thing!

L5 Sessionator

For uploading a certificate to a template on Panorama, first set the target template with the first API call:

https://{{host}}/api?key={{key}}&type=op&cmd=<set><system><setting><target><template><name>{{template-name}}</name></template></target></setting></system></set>

 

Then upload the certificate with a second API call, where this API call includes the cert inside form-data (per Nikolay-Matveev's earlier post):

https://{{host}}/api/?key={{key}}&type=import&category=certificate&format=pem&certificate-name={{cert-name}}

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 6585 Views
  • 5 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!