09-16-2024 08:17 AM
Hi all
This error message keeps coming up:
The latest API KeyGen was executed on <date and time> with the deprecated algorithm. You are advised to configure the more secure API key infrastructure by web interface: Setup -> Management -> Authentiation Settings -> API Key Certificate, or by CLI: set deviceconfig setting management api key certificate
API certificate is not even set up.
This has happened over 100 times in the system logs. Can this error be stopped and how will it affect the admin users?
09-16-2024 12:09 PM
What version of PAN-OS are you using at the moment? This was a known issue with 11.0's early releases, but that should have always been present as soon as you loaded PAN-OS.
09-16-2024 01:40 PM
Thanks for the response. Sorry, I did not mention the version.
PAN-OS: 11.1.2-h3 (jumped from 10.2 straight to 11.1.2-h3) Platform: PA-3220.
09-17-2024 07:47 AM
we are getting the same warning starting yesterday 21:16 pm on PAN-OS 11.2
09-19-2024 01:59 AM - edited 09-19-2024 01:59 AM
Hello everyone,
@s0lselcia: You can fix the error by simply adding a certificate for the API key creation under the Authentication Seetings.
See here:
https://docs.paloaltonetworks.com/whats-new/november-2023/api-key-certificate
What I am wondering at this point is which certificate attributes must be stored in the certificate so that it can be used to generate the API key?
Does anyone know this?
Unfortunately I can't find it in the article shared above!
greetings...
09-19-2024 04:16 AM
Thanks for the response.
But why would you need to create one if it's never been set up and will never be used?
09-19-2024 07:52 AM
Hey s0lselcia,
Sure, you're welcome.
APIs will become increasingly important in the administration of firewalls and network hardware over the next few years.
I think that's why Palo is trying to make the protection and generation of API keys secure!
greetings....
09-19-2024 08:28 AM
Thanks again.
Is there any way to remove this error without configuring the API key?
09-24-2024 05:29 AM
Hey s0lselcia,
sorry for my late response.
If I understood correctly from the knowledge base articles, you can only fix the warning by adding a certificate under “Setup > Management > Authentication Settings”.
Here again the link to the article:
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/generate...
I think it is easiest to use a device certificate that you have already used to secure the Panorama Web GUI.
Greetings
09-24-2024 11:03 AM
Thanks for the response. The problem with configuring these certificates, it will affect the current admin's access, which is a problem. I would rather just be able to turn the message off.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
