====== PAN-OS API Certificates ======
Prefix all commands with 
<code>https://10.1.1.1/api/?key=API_KEY</code>

=====Certificates=====
RSA Algorithm Options
  * 512
  * 1024
  * 2048
  * 3072
  * 4096

ECDSA Algorithm Options
  * 256
  * 384

Digest Options
  * md5
  * sha1
  * sha256
  * sha384
  * sha512

=====Generate Certificates=====
====Generate Certificate Signing Request (Not CA====
<code>&type=op&cmd=<request><certificate><generate><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>external</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>CERT_MGT_FW-01</certificate-name><name>FW-01.example.local</name></generate></certificate></request></code>
====Generate Certificate Signing Request (CA====
<code>&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>external</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>CERT_MGT_FW-CA</certificate-name><name>FW-01.example.local</name></generate></certificate></request></code>
====Generate Certificate (Not CA) Using CA on Firewall====
<code>&type=op&cmd=<request><certificate><generate><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>GPCERT</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SelfSignedNotCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request></code>
====Generate Certificate (Subordinate CA) Using CA on Firewall====
<code>&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>GPCERT</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SubCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request></code>
====Generate Certificate (CA) Self Signed====
<code>&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SelfSignedCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request></code>
====Show Certificate Details====
<code>&type=op&cmd=<request><certificate><show><certificate-name>CERTIFICATE_NAME</certificate-name></show></certificate></request></code>
====Set Trust and Untrust Certificates====
===Shared===
In this example, the certificates are DECRYPT and DECRYPECDSA. Delete the ECDSA or RSA elements as required.
<code>&type=config&action=set&xpath=/config/shared&element=<ssl-decrypt><forward-trust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-trust-certificate><forward-untrust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-untrust-certificate><ssl-decrypt></code>
===VSYS===
In this example, the certificates are DECRYPT and DECRYPECDSA. Delete the ECDSA or RSA elements as required.
<code>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']&element=<ssl-decrypt><forward-trust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-trust-certificate><forward-untrust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-untrust-certificate><ssl-decrypt></code>

=====Export Certificates=====
For Panorama, currently I import/export all certificates to Panorama (mgmt) itself and then load partial to copy the signed certificates into specific templates. The 'import' and 'export' commands do not have a documented way of interfacing with Templates directly.
====Export Certificate Signing Request====
<code>&type=export&category=certificate&certificate-name=CERT_MGT_FW-01&format=pkcs10&include-key=no</code>
You can add the following to cURL to send to a file
<code> > CSR_FILE.csr</code>

====Export Certificate (Public Key Only====
<code>&type=export&category=certificate&certificate-name=CERTIFICATE_NAME&format=pem&include-key=no</code>
You can add the following to cURL to send to a file
<code> > CERTIFICATE_PUB_ONLY.crt</code>

====Export Certificate (Public and Private Key====
<code>&type=export&category=certificate&certificate-name=CERTIFICATE_NAME&format=pem&include-key=yes&passphrase=the_passphrase</code>
You can add the following to cURL to send to a file
<code> > CERTIFICATE_WITH_KEY.crt</code>
=====Import Certificates=====
Remember to put the following cURL command before the HTTPS request
<code>curl --insecure  --form file=@cert.pem</code>
====Import Certificate (Signed Public Certificate Base64====
<code>&type=import&category=certificate&format=pem&certificate-name=ImportedCert</code>
====Import Certificate (Password Protected Public Key Only====
<code>&type=import&category=certificate&format=pem&passphrase=password&certificate-name=ImportedCert</code>
====Import Certificate (Password Protected Public and Private Key====
<code>&type=import&category=keypair&format=pem&passphrase=password&certificate-name=ImportedCert</code>
====Import Private Key (Where Public Key Already Imported====
<code>&type=import&category=private-key&format=pem&passphrase=password&certificate-name=ImportedCert</code>

=====Panorama=====
====Load Panorama Certificate into Template (VSYS Specific====
<code>&type=op&cmd=<load><config><partial><from>running-config.xml</from><from-xpath>/config/panorama/certificate/entry[@name='CERTIFICATE_NAME']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TEMPLATE_NAME']/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/certificate/entry[@name='CERTIFICATE_NAME']</to-xpath><mode>merge</mode></partial></config></load></code>

====Load Panorama Certificate into Template (Shared====
<code>&type=op&cmd=<load><config><partial><from>running-config.xml</from><from-xpath>/config/panorama/certificate/entry[@name='CERTIFICATE_NAME']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TEMPLATE_NAME']/config/shared/certificate/entry[@name='CERTIFICATE_NAME']</to-xpath><mode>merge</mode></partial></config></load></code>

====HA Certificates====
===Import HA Key===
<code>curl --insecure --form file=@haKey.txt "&type=import&category=high-availability-key"</code>