Using the connector
To list all possible options for the connector, run it with the --help
option.
python3 paloaltoagent.py --help
Enroll a certificate
You can enroll for a specific certificate profile.
python3 paloaltoagent.py -a enroll -p <certificate>.yaml
Verify SSL enablement
To view the provisioned certificate in Palo Alto firewall:
-
Navigate to the Device tab.
-
Select
.
Renew a certificate
You can renew certificates for a specific certificate profile or for all certificate profiles available in the profile’s path.
python3 paloaltoagent.py -a renew
python3 paloaltoagent.py -a renew -p <certificate>.yaml
Enable auto-renewal
You can create a cronjob that will invoke the connector on a schedule (see crontab for cron schedule expressions). To check the certificate’s eligibility for renewal, and if eligible, renew it:
-
Run
crontab -e
on the terminal. -
Select an editor.
-
Add a cronjob that will trigger the connector.
The following example triggers
paloaltoagent.py
every week. -
Save the changes and exit.
Revoke or replace a certificate
Certificate revocation is done manually in SCM. If a certificate is revoked in SCM, then during the next connector execution, the Sectigo CA server issues a new certificate, unless the certificate profile file has been removed. The connector imports the new certificate into the certificate management area of Palo Alto Firewall.
View the logs
The log files are stored in the location indicated in sectigo_log_path
parameter of the config.yaml
file.
By default, all events are recorded.
__main__ - INFO - Loading certificate profile cert1.yaml
paloaltofw.utils.sectigo_sops - DEBUG - Environment variable sectigo_gnu_key_store not defined. Getting fingerprint from the config file
paloaltofw.utils.sectigo_sops - DEBUG - File decrypted sectigo_credentials.yaml.
paloaltofw.utils.sectigo_sops - DEBUG - Environment variable sectigo_gnu_key_store not defined. Getting fingerprint from the config file
paloaltofw.utils.sectigo_sops - DEBUG - File decrypted fw_paloalto1.yaml.
...
__main__ - INFO - Certificate cert1 enrolled on SCM