04-17-2022 05:26 AM
Hi @damom10, per you previous comment: "I had a senior network engineer tell me we have several that are important for our VPN. But I am curious, if there is no need to monitor these, then I will mention it to him. If these generally manage themselves, then it sounds like there isn't a monitoring requirement", I would check if you really need to build a solution to check expiry of the built-in default trusted CA certificates, because they do manage themselves, this is the responsibility of Palo Alto Networks through PAN-OS updates, and you can't add or remove certificates from this list, only disable/enable certificates in this list. I think the senior engineer may be referring to the certificates in the configuration, that is where you put your organisation's own certificates, the ones the organisation chooses to use for various tasks including VPNs.
Per the comment: "It seems the only path we can use is /config, the certificates I need to reach are in vsys1", all the config lives under this path, regardless of vsys. For certificates in the config for a specific vsys the NGFW xpath would be:
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='{{vsys-name}}'/certificate/entry[@name='{{certificate-name}}']
Hope that helps.
