3 # Script to deploy certificates to Palo Alto Networks PANOS via API
4 # Note PANOS API KEY and IP address needs to be set prior to running.
5 # The following variables exported from environment will be used.
6 # If not set then values previously saved in domain.conf file are used.
8 # Firewall admin with superuser and IP address is required.
10 # export PANOS_USER="" # required
11 # export PANOS_PASS="" # required
12 # export PANOS_HOST="" # required
13 # export PANOS_KEY="" # optional
15 # This function is to parse the XML
18 if [ "$type" = 'keygen' ]; then
19 status
=$
(echo "$1" |
sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
20 if [ "$status" = "success" ]; then
21 panos_key
=$
(echo "$1" |
sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
24 message
="PAN-OS Key could not be set."
27 status
=$
(echo "$1" |
sed 's/^.*"\([a-z]*\)".*/\1/g')
28 message
=$
(echo "$1" |
sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
29 if [ "$type" = 'testkey' ] && [ "$status" != "success" ]; then
30 _debug
"**** Saved API key is invalid ****"
39 type=$1 # Types are testkey, keygen, cert, key, commit
40 _debug
"**** Deploying $type ****"
41 panos_url
="https://$_panos_host/api/"
43 #Test API Key by performing an empty commit.
44 if [ "$type" = 'testkey' ]; then
45 _H1
="Content-Type: application/x-www-form-urlencoded"
46 content
="type=commit&cmd=<commit></commit>&key=$_panos_key"
50 if [ "$type" = 'keygen' ]; then
51 _H1
="Content-Type: application/x-www-form-urlencoded"
52 content
="type=keygen&user=$_panos_user&password=$_panos_pass"
53 # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
56 if [ "$type" = 'cert' ] ||
[ "$type" = 'key' ]; then
58 delim
="-----MultipartDelimiter$(date "+%s
%N
")"
61 export _H1
="Content-Type: multipart/form-data; boundary=$delim"
62 if [ "$type" = 'cert' ]; then
63 panos_url
="${panos_url}?type=import"
64 content
="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\ncertificate"
65 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
66 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
67 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
68 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
70 if [ "$type" = 'key' ]; then
71 panos_url
="${panos_url}?type=import"
72 content
="--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\nprivate-key"
73 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n$_cdomain"
74 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
75 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
76 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
77 content
="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
80 content
="$content${nl}--$delim--${nl}${nl}"
82 content
=$
(printf %b
"$content")
85 if [ "$type" = 'commit' ]; then
86 export _H1
="Content-Type: application/x-www-form-urlencoded"
87 cmd
=$
(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode
)
88 content
="type=commit&key=$_panos_key&cmd=$cmd"
90 response
=$
(_post
"$content" "$panos_url" "" "POST")
91 parse_response
"$response" "$type"
92 # Saving response to variables
93 response_status
=$status
95 _debug response_status
"$response_status"
96 if [ "$response_status" = "success" ]; then
97 _debug
"Successfully deployed $type"
100 _err
"Deploy of type $type failed. Try deploying with --debug to troubleshoot."
106 # This is the main function that will call the other functions to deploy everything.
108 _cdomain
=$
(echo "$1" |
sed 's/*/WILDCARD_/g') #Wildcard Safe Filename
111 # VALID ECC KEY CHECK
112 keysuffix
=$
(printf '%s' "$_ckey" |
tail -c 8)
113 if [ "$keysuffix" = "_ecc.key" ] && [ ! -f "$_ckey" ]; then
114 _debug
"The ECC key $_ckey doesn't exist. Attempting to strip '_ecc' from the key name"
115 _ckey
=$
(echo "$_ckey" |
sed 's/\(.*\)_ecc.key$/\1.key/g')
116 if [ ! -f "$_ckey" ]; then
117 _err
"Unable to find a valid key. Try issuing the certificate using RSA (non-ECC) encryption."
121 # PANOS ENV VAR check
122 if [ -z "$PANOS_USER" ] ||
[ -z "$PANOS_PASS" ] ||
[ -z "$PANOS_HOST" ]; then
123 _debug
"No ENV variables found lets check for saved variables"
124 _getdeployconf PANOS_USER
125 _getdeployconf PANOS_PASS
126 _getdeployconf PANOS_HOST
127 _getdeployconf PANOS_KEY
128 _panos_user
=$PANOS_USER
129 _panos_pass
=$PANOS_PASS
130 _panos_host
=$PANOS_HOST
131 _panos_key
=$PANOS_KEY
132 if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
133 _err
"No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
136 _debug
"Using saved env variables."
139 _debug
"Detected ENV variables to be saved to the deploy conf."
140 # Encrypt and save user
141 _savedeployconf PANOS_USER
"$PANOS_USER" 1
142 _savedeployconf PANOS_PASS
"$PANOS_PASS" 1
143 _savedeployconf PANOS_HOST
"$PANOS_HOST" 1
144 _panos_user
="$PANOS_USER"
145 _panos_pass
="$PANOS_PASS"
146 _panos_host
="$PANOS_HOST"
147 if [ "$PANOS_KEY" ]; then
148 _savedeployconf PANOS_KEY
"$PANOS_KEY" 1
149 _panos_key
="$PANOS_KEY"
151 _getdeployconf PANOS_KEY
152 _panos_key
=$PANOS_KEY
155 _debug
"Let's use username and pass to generate token."
156 if [ -z "$_panos_user" ] ||
[ -z "$_panos_pass" ] ||
[ -z "$_panos_host" ]; then
157 _err
"Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
161 if [ "$_panos_key" ]; then
162 _debug
"**** Testing Saved API KEY ****"
166 # Generate a new API key if no valid key exists
167 if [ -z "$_panos_key" ]; then
168 _debug
"**** Generating new PANOS API KEY ****"
170 _savedeployconf PANOS_KEY
"$_panos_key" 1
173 # Confirm that a valid key was generated
174 if [ -z "$_panos_key" ]; then
175 _err
"Missing apikey."