Unable to find exact api url for device certificate features like import, export, renew and revoke

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unable to find exact api url for device certificate features like import, export, renew and revoke

L1 Bithead

Can someone help to find exact api url for device certificate features like import, export, renew, revoke, generate

 

I tried to generate certificate under template(tlv-5260) but it is getting generated under panorama tab only instead of Device Tab as per API URL given under Manage Certificates(API) page link.

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-ce...,

 

API URL that I was trying to use as below:
"https://<panorama-ip>/api/?type=op&cmd=<request><certificate><generate><algorithm><RSA>"
"<rsa-nbits>512</rsa-nbits></RSA></algorithm><certificate-name>SSCert</certificate-name>"
"<name>10.1.1.1</name><ca>yes</ca></generate></certificate></request>&target-tpl=template&"
"target-tpl-vsys=vsys1&template=tlv-5260&key=<api-key>".

 

Also I tried to generate the certificate with below XML API as well but I am not sure which action I should use for remaining features like import/export/renew/revoke.

"https://<panorama-ip>/api/?type=config&action=set&xpath=/config/devices/entry[@name=\'localhost.localdomain\']"
"/template/entry[@name='{}']/config/shared/certificate/entry[@name='<certificate-name>']&element=<common-name>10.0.0.1</common-name>&key=<api-key>" 

 

It would be better if someone can test the same and share the exact URL for all the features.

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @AModi, one good way to get the correct API call is to debug the CLI, details here. If you are unsure of CLI commands, on the CLI you can type "find command keyword {{something}}" to find the correct command.

In this instance, whilst the web GUI uses "target-tpl=template" to direct commands to a specific template in Panorama, this cannot be used as an external XML API client. Instead, first "set" the target template with this command, as you would on CLI:

https://{{host}}/api?key={{key}}&type=op&cmd=<set><system><setting><target><template><name>{{template-name}}</name></template></target></setting></system></set>

 

Then carry on with your subsequent certificate operation API calls, but do not include the "target-tpl=template" part. For example, these two commands will lead you to upload a certificate to a specific template.

 

https://{{host}}/api?key={{key}}&type=op&cmd=<set><system><setting><target><template><name>{{template-name}}</name></template></target></setting></system></set>

https://{{host}}/api/?key={{key}}&type=import&category=certificate&format=pem&certificate-name={{cert-name}}


Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

4 REPLIES 4

L5 Sessionator

Hi @AModi, one good way to get the correct API call is to debug the CLI, details here. If you are unsure of CLI commands, on the CLI you can type "find command keyword {{something}}" to find the correct command.

In this instance, whilst the web GUI uses "target-tpl=template" to direct commands to a specific template in Panorama, this cannot be used as an external XML API client. Instead, first "set" the target template with this command, as you would on CLI:

https://{{host}}/api?key={{key}}&type=op&cmd=<set><system><setting><target><template><name>{{template-name}}</name></template></target></setting></system></set>

 

Then carry on with your subsequent certificate operation API calls, but do not include the "target-tpl=template" part. For example, these two commands will lead you to upload a certificate to a specific template.

 

https://{{host}}/api?key={{key}}&type=op&cmd=<set><system><setting><target><template><name>{{template-name}}</name></template></target></setting></system></set>

https://{{host}}/api/?key={{key}}&type=import&category=certificate&format=pem&certificate-name={{cert-name}}


Hope this helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Thanks a lot @JimmyHolland for sharing the solution, I tried it & it worked for me.

This is really great info. So I got the first line without issue so I am set on the correct template however where I am confused is step 2. How do you select the certificate to upload? Like the actual file that is on my PC for example. Thank you

Hi @jasonwald , you can use requests module with parameter "files={"file": open(target file path, "rb")}" inside it for import feature for certificate.

  • 1 accepted solution
  • 4382 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!