XML API powershell, importing public wildcard pkcs12 certificates

Showing results for 
Show  only  | Search instead for 
Did you mean: 

XML API powershell, importing public wildcard pkcs12 certificates

L2 Linker

I'm trying to automate importing public wildcard pkcs12 certificates with passphrase into Palo Altos with XML API and powershell. 

Importing the cert in the  web gui works fine, I give it a name, browse to the .pfx file, select format pkcs12, and enter and confirm the passphrase. Great! And then I can create other profiles and reference that cert.

However, I need to automate this import.

Following the instructions on https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/pan-os-xml-api-use-cases/manage-ce...

here's what I do in powershell :

$certFile = "wildcard.pfx"
$passPhrase = "xxxxx"

$WANIP = "

$apikey = "yyyyyyy"

$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&type=import&category=keypair&certificate-name=$certName&format=pkcs12&passphrase=$passPhrase"


within powershell I call C:\Windows\System32\curl.exe because "curl" on powershell is just an alias for Invoke-webrequest (which by the way is my preferred way of call the PanOS API)

C:\Windows\System32\curl.exe -F "file=@$certFile" $apiurl
the result is:

curl: (60) schannel: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If I use -k for insecure,
C:\Windows\System32\curl.exe -k -F "file=@$certFile" $apiurl

the result is :
<response status="error"><msg><line>Import of certificate and private-key "WILDCARD-CERT" failed. Failed to extract certificate</line></msg></response>

However, as I said, it works just fine if I import it in the Palo Alto web gui.

any help would be appreciated.


L2 Linker

I think I have a resolution.

I exported the cert from its original place, but this time as a BASE64 .pem file, exporting private key and using a passphrase.

Using the -k (insecure) with curl, the import was actually successful.


$certFile = "wildcard.pem"

$apiurl = "https://" + $wanip + "//api/?key=" + $apiKey + "&type=import&category=keypair&certificate-name=$certName&format=pem&passphrase=$passPhrase"


C:\Windows\System32\curl.exe -k -F "file=@$CertFile" $apiurl


<response status="success"><result>Successfully imported WILDCARD-CERT into candidate configuration</result></response>


I do not know why the pkcs12 format doesn’t work.  It seems that I can ask my end users to supply the cert in .pem format. This should work just fine.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!