Deploying Certificate to Palo Alto

The certificate deployment involves modifying the script and executing it with sudo permissions.

Modify Script

Modifications must be made to the script for it to work with Sectigo ACME:

  1. Modify the variables section of the script.

    CA_URL=https://acme.enterprise.sectigo.com
    EAB_KID=<Sectigo ACME Key ID>
    EAB_HMAC=<Sectigo ACME MHAC Key>
    PAN_MGMT=<FW_MGMT_FQDN_OR_IP>
    FQDN=<CERTIFICATE_FQDN(s)>
    EMAIL=<EMAIL_ADDRESS>
    API_KEY=$(cat FULL_PATH_TO/.panrc)
    CERT_NAME=<CERTNAME>
    GP_PORTAL_TLS_PROFILE=GP_PORTAL_PROFILE
    GP_GW_TLS_PROFILE=GP_EXT_GW_PROFILE
    TEMP_PWD=$(openssl rand -hex 15)
  2. Delete the CLOUDFLARE_CREDS=<FULL_PATH_TO>/cloudflare.ini line from the script.

  3. Replace the original certbot command.

    sudo /usr/local/bin/certbot certonly --dns-cloudflare --dns-cloudflare-credentials $CLOUDFLARE_CREDS -d *.$FQDN -n --agree-tos --force-renew

    with:

    sudo /usr/local/bin/certbot certonly --standalone --non-interactive --agree-tos --email $EMAIL --server $CA_URL --eab-kid $EAB_KID --eab-hmac-key $EAB_HMAC -d $FQDN -n

Deploy Certificate to Palo Alto Firewall

Once the script is modified, execute the script with sudo permissions.

[email protected]:~$ sudo ./pan_sectigo.sh
Sectigo ACME Palo Alto GlobalProtect Execute Script