Panorama cert replacement via API. - eviltoast

So I have had this script I have been working on for a while, intended to automate LetsEncrypt renewals and deploy those certs to Panorama for Palo Alto endpoints.

I have had some success by brute-forcing the process. Delete pubkey and privkey, then replace. This is problematic if any of those certs are being used in objects though.

Is there an API mechanism anyone is aware of, XML or REST, than can be used to replace a cert currently being utilized in objects?

Or is the mechanism really only to deploy to a whole new entry, and switch the SSL profile to that new one? That’s the only other path forward I can currently see, and it feels like extra work.

  • keefshape@lemmy.worldOP
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    Oh shit, first set of examples for the REST docs shows importing s combined keypair! That would solve the keypair mismatch when importing one at a time.

    Solid! 👊

    • jemikwa@lemmy.blahaj.zone
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Makes sense, you can do the same with the GUI if you import it as an encrypted .pem with the public and private key in the same file.