I'm trying to automate importing public wildcard pkcs12 certificates with passphrase into Palo Altos with XML API and powershell.
Importing the cert in the web gui works fine, I give it a name, browse to the .pfx file, select format pkcs12, and enter and confirm the passphrase. Great! And then I can create other profiles and reference that cert.
However, I need to automate this import.
Following the instructions on https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-ce...
here's what I do in powershell :
$certFile = "wildcard.pfx"
$passPhrase = "xxxxx"
$WANIP = "188.8.131.52
$apikey = "yyyyyyy"
$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&type=import&category=keypair&certificate-name=$certName&format=pkcs12&passphrase=$passPhrase"
within powershell I call C:\Windows\System32\curl.exe because "curl" on powershell is just an alias for Invoke-webrequest (which by the way is my preferred way of call the PanOS API)
C:\Windows\System32\curl.exe -F "file=@$certFile" $apiurl
the result is:
curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
If I use -k for insecure,
C:\Windows\System32\curl.exe -k -F "file=@$certFile" $apiurl
the result is :
<response status="error"><msg><line>Import of certificate and private-key "WILDCARD-CERT" failed. Failed to extract certificate</line></msg></response>
However, as I said, it works just fine if I import it in the Palo Alto web gui.
any help would be appreciated.
I think I have a resolution.
I exported the cert from its original place, but this time as a BASE64 .pem file, exporting private key and using a passphrase.
Using the -k (insecure) with curl, the import was actually successful.
$certFile = "wildcard.pem"
$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&type=import&category=keypair&certificate-name=$certName&format=pem&passphrase=$passPhrase"
C:\Windows\System32\curl.exe -k -F "file=@$CertFile" $apiurl
<response status="success"><result>Successfully imported WILDCARD-CERT into candidate configuration</result></response>
I do not know why the pkcs12 format doesn’t work. It seems that I can ask my end users to supply the cert in .pem format. This should work just fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!