Prefix all commands with

https://10.1.1.1/api/?key=API_KEY

RSA Algorithm Options

• 512
• 1024
• 2048
• 3072
• 4096

ECDSA Algorithm Options

• 256
• 384

Digest Options

• md5
• sha1
• sha256
• sha384
• sha512

&type=op&cmd=<request><certificate><generate><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>external</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>CERT_MGT_FW-01</certificate-name><name>FW-01.example.local</name></generate></certificate></request>

&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>external</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>CERT_MGT_FW-CA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>

&type=op&cmd=<request><certificate><generate><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>GPCERT</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SelfSignedNotCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>

&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><signed-by>GPCERT</signed-by><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SubCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>

&type=op&cmd=<request><certificate><generate><ca>yes</ca><digest>sha256</digest><algorithm><RSA><rsa-nbits>2048</rsa-nbits></RSA></algorithm><days-till-expiry>270</days-till-expiry><hostname><member>FW-01.example.local</member><member>FW-01</member></hostname><ip><member>1.1.1.1</member></ip><certificate-name>SelfSignedCA</certificate-name><name>FW-01.example.local</name></generate></certificate></request>

&type=op&cmd=<request><certificate><show><certificate-name>CERTIFICATE_NAME</certificate-name></show></certificate></request>

In this example, the certificates are DECRYPT and DECRYPECDSA. Delete the ECDSA or RSA elements as required.

&type=config&action=set&xpath=/config/shared&element=<ssl-decrypt><forward-trust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-trust-certificate><forward-untrust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-untrust-certificate><ssl-decrypt>

In this example, the certificates are DECRYPT and DECRYPECDSA. Delete the ECDSA or RSA elements as required.

&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']&element=<ssl-decrypt><forward-trust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-trust-certificate><forward-untrust-certificate><rsa>DECRYPT</rsa><ecdsa>DECRYPTECDSA</ecdsa></forward-untrust-certificate><ssl-decrypt>

For Panorama, currently I import/export all certificates to Panorama (mgmt) itself and then load partial to copy the signed certificates into specific templates. The 'import' and 'export' commands do not have a documented way of interfacing with Templates directly.

&type=export&category=certificate&certificate-name=CERT_MGT_FW-01&format=pkcs10&include-key=no

You can add the following to cURL to send to a file

 > CSR_FILE.csr

&type=export&category=certificate&certificate-name=CERTIFICATE_NAME&format=pem&include-key=no

You can add the following to cURL to send to a file

 > CERTIFICATE_PUB_ONLY.crt

&type=export&category=certificate&certificate-name=CERTIFICATE_NAME&format=pem&include-key=yes&passphrase=the_passphrase

You can add the following to cURL to send to a file

 > CERTIFICATE_WITH_KEY.crt

Remember to put the following cURL command before the HTTPS request

curl --insecure  --form file=@cert.pem

&type=import&category=certificate&format=pem&certificate-name=ImportedCert

&type=import&category=certificate&format=pem&passphrase=password&certificate-name=ImportedCert

&type=import&category=keypair&format=pem&passphrase=password&certificate-name=ImportedCert

&type=import&category=private-key&format=pem&passphrase=password&certificate-name=ImportedCert

&type=op&cmd=<load><config><partial><from>running-config.xml</from><from-xpath>/config/panorama/certificate/entry[@name='CERTIFICATE_NAME']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TEMPLATE_NAME']/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/certificate/entry[@name='CERTIFICATE_NAME']</to-xpath><mode>merge</mode></partial></config></load>

&type=op&cmd=<load><config><partial><from>running-config.xml</from><from-xpath>/config/panorama/certificate/entry[@name='CERTIFICATE_NAME']</from-xpath><to-xpath>/config/devices/entry[@name='localhost.localdomain']/template/entry[@name='TEMPLATE_NAME']/config/shared/certificate/entry[@name='CERTIFICATE_NAME']</to-xpath><mode>merge</mode></partial></config></load>

curl --insecure --form file=@haKey.txt "&type=import&category=high-availability-key"