Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Fighting the cli ... sigh - how to import a cert via the cli

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Fighting the cli ... sigh - how to import a cert via the cli

L4 Transporter

Hi

 

So, silly me I manage my cert in panorama, so when my int CA for my management ports came up for renewal, i renewed, and pushed out to all the devices ... except for my panorama 😞

now I have cli access only.

I have found the location 

configure

panorama certificate

 

but when it comes time to add my multiline public key ... it will not take multiline entries ... how do I enter a multi line.

 

My god how hard .. there is an open quote that doesn't work. or <space>\ that doesn't work.

 

any help would be welcome ...

 

9 REPLIES 9

Cyber Elite
Cyber Elite

Ok, am going to ask the obvious and dumb question first.

 

Why not, temporarily, disable the need to use a Cert to manage the Panorama?

You have CLI access, remove the line that references the cert.

 

for me, that line is

set deviceconfig system ssl-tls-service-profile SecureGUI (SecureGui is my cert profile)

delete that line.  commit.

Now the Panorama would not be looking for a valid cert to manage on it.

 

Certainly will keep an eye on this message response, but should not be too difficult.

 

If I am misunderstanding the issue, please provide greater detail.  😛

 

 

 

 

 

 

Help the community: Like helpful comments and mark solutions

Good tip Steve, probably the easiest option.

 

 

If pasting over CLI still though you might need "set cli scripting-mode on".

Good call I was going to try removing the ssl from there. but delete a ssl cert how will it present ssl traffic then.

 

I was thinking maybe to allow port 80 access .

 

as for scripting mode ... hadn't tried that.  is that how you insert certs ?

 

I will give it a go

Scripting mode is recommended when doing multiple lines of commands via CLI. I’m not sure if it is a cure for your issue though.

 

As for the cert requirement. Is it just that the certificate is no longer trusted and your browser won’t allow a connection? The cert is still there just expired right?

 

You can generate a new Panorama web-server certificate with the command:

                run request certificate generate for-use-by panorama-server 

 

More detail on what you are trying would be helpful.

 

Also agree that just enabling HTTP management would be a quick way in. Deleting the SSL service profile probably won’t even commit since it would be referenced by the configured features to be using it.

 

***  Another option would be to SCP export the configuration to another device and replace the existing certificate in the XML configuration file and reimport.

Hi

 

No, the intermediary CA was expired.

 

I recently renews the int ca and the management cert.

 

but forgot to update the int ca on panorama and I did upgrade the cert.

 

 

scp .. yes i found this in my google'ing

 

 

I think the crux of the question is how to do cert management from CLI

 

it looks like the only way to import a cert properly is to scp in.

 

the set commands don't work !

 

To get the proper syntax of the configuration including all the carriage returns etc. do the following to get the configuration output in set format. Then you can take just that section of the config to paste into Notepad++ or SublimeText so that you get the correct line requirements such as right after the BEGIN CERTIFICATE ---  line.

 

admin@M100-01(primary-active)> set cli config-output-format set

admin@M100-01(primary-active)> set cli scripting-mode on

admin@M100-01(primary-active)> configure

Entering configuration mode

[edit]                                                                                                                                                                  

admin@M100-01(primary-active)# show

 

The private key is a single line but the public key is fixed width.

Shoot! Ok, good to know. If you have successful steps please post.

This is what i did - set show and copy paste.

 

it doesn't work.

 

L0 Member

I know this is old, but I was struggling with it as well.  The advice from here (CTRL-V followed by CTRL-M at the end of each line) worked:

https://www.reddit.com/r/paloaltonetworks/comments/4ojbsh/cli_assistance_with_banner_text/

  • 14178 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!