- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-15-2018 05:20 AM
Hey,
The subject says it all...
This is a VM-100 with latest updates.
I can log in to CLI and I wonder how can I list all certificates, identify the expired cert and if possible renew it, all through CLI.
Thanks for any comments and a list of my options in this situation 🙂
best regards Tor
06-18-2018 06:53 AM
Hi Tor,
The article you sent actually mentions about the absence of a certificate entirely - rather than an expired one.
As per the article's recommendations, have you tried to assign the primary certificate from you chain to the webserver?
> configure
# set deviceconfig system web-server-certificate <certname>
# commit
# exit
Regarding this error, I have not seen this before and the steps you took to renew the self signed-CA via CLI command are correct. If trying the above is unsuccessful, could you give the management server a reboot? (debug software restart process management-server) What Pan-OS version are you running also?
06-15-2018 07:25 AM
Pull the running configuration from the CLI, identify the cert in question and update it directly through the CLI and push it back to the box, load it and commit.
FYI, an expired cert shouldn't block you from accessing the web interface; you should be able to bypass the warning and still access the GUI.
06-18-2018 01:27 AM
Hi,
Thanks for the advice. I got the config and found the properties of the expired certificate, see below.
There are a total of 6 certificate entries (but only this is expired). Does it exist an how-to to renew or create a new cert? Thanks for comments on how I can proceed further by the CLI...
regards Tor
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
</public-key>
<algorithm>RSA</algorithm>
</entry>
<entry name="MyCompanys CA 2017">
<subject-hash>c16a5de3</subject-hash>
<issuer-hash>94d7a06a</issuer-hash>
<not-valid-before>Jan 26 20:02:51 2017 GMT</not-valid-before>
<issuer>/C=NO/ST=Some-State/O=MyCompany VGS</issuer>
<not-valid-after>Jun 10 20:02:51 2018 GMT</not-valid-after>
<common-name>172.23.10.2</common-name>
<expiry-epoch>1528660971</expiry-epoch>
<ca>no</ca>
<subject>/C=NO/ST=Some-State/O=MyCompany VGS/OU=Firewall/CN=172.23.10.2</subject>
<public-key>-----BEGIN CERTIFICATE-----
MIIDFjCCAf4CCQCYA5DXj+1MWDANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJO
06-18-2018 04:59 AM
Hi,
From the CLI:
> request certificate renew days-till-expiry <days> certificate-name <certname>
> request certificate generate
+ ca Make this a signing certificate
+ country-code Country code
+ days-till-expiry Number of days till expiry
+ digest Digest Algorithm
+ email Email address of the contact person
+ filename file name for the certificate
+ locality Locality
+ ocsp-responder-url ocsp-responder-url
+ organization Organization
+ signed-by signed-by
+ state State/province
* algorithm algorithm
* certificate-name Name of the certificate object
* name IP or FQDN to appear on the certificate
> alt-email Subject alternate Email type
> hostname Subject alternate name DNS type
> ip Subject alternate name IP type
> organization-unit Department
Seconding what @BPry has said - you should still be able to login to the webUI -even with an expired cert.
Thanks,
Luke.
06-18-2018 06:44 AM
Hi again,
Thanks for all help. I see your last comment both of you, however our webinterface ceased to respond at the day the CA cert expired and I read about it here:
If you have other suggestions as to why our webinterface ceased to respond, I'm of course open to any help or troubleshooting tips.
Anyway, I tried to renew our current CA cert by this command:
VM-100> request certificate renew days-till-expiry 400 certificate-name "MyCompany CA 2017"
.. but got this error:
Server error : Failed to determine the issuer of certificate
This is a self signed cert, so which parameters do I apply to make it content ?
Thanks again 🙂
best regards Tor
06-18-2018 06:53 AM
Hi Tor,
The article you sent actually mentions about the absence of a certificate entirely - rather than an expired one.
As per the article's recommendations, have you tried to assign the primary certificate from you chain to the webserver?
> configure
# set deviceconfig system web-server-certificate <certname>
# commit
# exit
Regarding this error, I have not seen this before and the steps you took to renew the self signed-CA via CLI command are correct. If trying the above is unsuccessful, could you give the management server a reboot? (debug software restart process management-server) What Pan-OS version are you running also?
06-19-2018 01:08 PM
Hi again,
Thanks a lot! The restarting of the management plane did the trick. After that we were able to relogin to the webinterface and I created a new cert and now all is well.
The 'disconnection' occurred at about same time as the https cert expired. I'm on version 8.1.1. Is it possible that the cert expiration caused the management plane to 'hang' so web interface access was disabled..?
Anyway, I'm just glad to be up and running again. Thanks again 🙂
Tor
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!