09-16-2024 08:17 AM
Hi all
This error message keeps coming up:
The latest API KeyGen was executed on <date and time> with the deprecated algorithm. You are advised to configure the more secure API key infrastructure by web interface: Setup -> Management -> Authentiation Settings -> API Key Certificate, or by CLI: set deviceconfig setting management api key certificate
API certificate is not even set up.
This has happened over 100 times in the system logs. Can this error be stopped and how will it affect the admin users?
11-30-2025 12:32 PM - edited 11-30-2025 12:37 PM
I fixed it on sw-version: 11.2.10 like this.. (7300 is the max allowed number of days - 20yrs), enjoy:
> request certificate generate ca yes days-till-expiry 7300 algorithm RSA rsa-nbits 4096 certificate-name API-test name API-test
> configure
# set deviceconfig setting management api key certificate API-test
# commit
11-30-2025 12:56 PM
It is not complaining about the presence or absence of the API Key, but rather the certificate to be used by the API-key, you don't need to configure an API-key to get rid of the error, you just need to choose/create a cert to be used by the API-key should you ever configure the API key. Basically, for your security, Palo is getting out of the business of providing factory created certs, and now they want the user to generate certs locally or provide them via CA, but factory-provided certs have become a liability for obvious reasons.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
