Prefix all commands with
https://10.1.1.1/api/?key=API_KEY
RSA Algorithm Options
ECDSA Algorithm Options
Digest Options
&type=op&cmd=<request><certificate><generate><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>external</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>CERT_MGT_FW-01</certificate-name><name>FW-01.example.local</name></generate></certificate></request>
&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>external</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>CERT_MGT_FW-CA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>
&type=op&cmd=<request><certificate><generate><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>GPCERT</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SelfSignedNotCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>
&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>GPCERT</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SubCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>
&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SelfSignedCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>
&type=op&cmd=<request><certificate><show><certificate-name>CERTIFICATE_NAME</certificate-name></show></certificate></request>
In this example, the certificates are DECRYPT and DECRYPECDSA. Delete the ECDSA or RSA elements as required.
&type=config&action=set&xpath=/config/shared&element=<ssl-decrypt><forward-trust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-trust-certificate><forward-untrust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-untrust-certificate><ssl-decrypt>
In this example, the certificates are DECRYPT and DECRYPECDSA. Delete the ECDSA or RSA elements as required.
&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']&element=<ssl-decrypt><forward-trust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-trust-certificate><forward-untrust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-untrust-certificate><ssl-decrypt>
For Panorama, currently I import/export all certificates to Panorama (mgmt) itself and then load partial to copy the signed certificates into specific templates. The 'import' and 'export' commands do not have a documented way of interfacing with Templates directly.
&type=export&category=certificate&certificate-name=CERT_MGT_FW-01&format=pkcs10&include-key=no
You can add the following to cURL to send to a file
> CSR_FILE.csr
&type=export&category=certificate&certificate-name=CERTIFICATE_NAME&format=pem&include-key=no
You can add the following to cURL to send to a file
> CERTIFICATE_PUB_ONLY.crt
&type=export&category=certificate&certificate-name=CERTIFICATE_NAME&format=pem&include-key=yes&passphrase=the_passphrase
You can add the following to cURL to send to a file
> CERTIFICATE_WITH_KEY.crt
Remember to put the following cURL command before the HTTPS request
curl --insecure --form file=@cert.pem
&type=import&category=certificate&format=pem&certificate-name=ImportedCert
&type=import&category=certificate&format=pem&passphrase=password&certificate-name=ImportedCert
&type=import&category=keypair&format=pem&passphrase=password&certificate-name=ImportedCert
&type=import&category=private-key&format=pem&passphrase=password&certificate-name=ImportedCert
&type=op&cmd=<load><config><partial><from>running-config.xml</from><from-xpath>/config/panorama/certificate/entry[@name='CERTIFICATE_NAME']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TEMPLATE_NAME']/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/certificate/entry[@name='CERTIFICATE_NAME']</to-xpath><mode>merge</mode></partial></config></load>
&type=op&cmd=<load><config><partial><from>running-config.xml</from><from-xpath>/config/panorama/certificate/entry[@name='CERTIFICATE_NAME']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TEMPLATE_NAME']/config/shared/certificate/entry[@name='CERTIFICATE_NAME']</to-xpath><mode>merge</mode></partial></config></load>
curl --insecure --form file=@haKey.txt "&type=import&category=high-availability-key"