Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

API error messages

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

API error messages

L2 Linker

Hi all

 

This error message keeps coming up:

 

The latest API KeyGen was executed on <date and time> with the deprecated algorithm. You are advised to configure the more secure API key infrastructure by web interface: Setup -> Management -> Authentiation Settings -> API Key Certificate, or by CLI: set deviceconfig setting management api key certificate

 

API certificate is not even set up.

This has happened over 100 times in the system logs. Can this error be stopped and how will it affect the admin users?

 

s0lselcia_0-1726499809677.png

 

9 REPLIES 9

Cyber Elite
Cyber Elite

@s0lselcia,

What version of PAN-OS are you using at the moment? This was a known issue with 11.0's early releases, but that should have always been present as soon as you loaded PAN-OS.

Thanks for the response. Sorry, I did not mention the version.

 

PAN-OS: 11.1.2-h3 (jumped from 10.2 straight to 11.1.2-h3) Platform: PA-3220.

L0 Member

we are getting the same warning starting yesterday 21:16 pm on PAN-OS 11.2

L1 Bithead

Hello everyone,


@s0lselcia: You can fix the error by simply adding a certificate for the API key creation under the Authentication Seetings.
See here:
https://docs.paloaltonetworks.com/whats-new/november-2023/api-key-certificate

What I am wondering at this point is which certificate attributes must be stored in the certificate so that it can be used to generate the API key?
Does anyone know this?
Unfortunately I can't find it in the article shared above!


greetings...

Thanks for the response.

 

But why would you need to create one if it's never been set up and will never be used?

L1 Bithead

 

Hey s0lselcia,


Sure, you're welcome.

APIs will become increasingly important in the administration of firewalls and network hardware over the next few years.
I think that's why Palo is trying to make the protection and generation of API keys secure!

greetings....

Thanks again.

 

Is there any way to remove this error without configuring the API key?

L1 Bithead

Hey s0lselcia,

sorry for my late response.

If I understood correctly from the knowledge base articles, you can only fix the warning by adding a certificate under “Setup > Management > Authentication Settings”.
Here again the link to the article:
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/generate...

I think it is easiest to use a device certificate that you have already used to secure the Panorama Web GUI.

Greetings

Thanks for the response. The problem with configuring these certificates, it will affect the current admin's access, which is a problem. I would rather just be able to turn the message off.

  • 2213 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!