Palo Alto Networks | Breek Een Been https://blog.breekeenbeen.nl/tag/palo-alto-networks/ Palo Alto Networks Source Themes Academic (https://sourcethemes.com/academic/)en-usRob MaasSat, 25 Mar 2023 13:03:12 +0100 https://blog.breekeenbeen.nl/images/icon_hue0c3a5851739ca8a2afc787728ee763e_182872_512x512_fill_lanczos_center_3.png Palo Alto Networks https://blog.breekeenbeen.nl/tag/palo-alto-networks/ Automate Export certificates and keys from Kubernetes and import in Palo Alto Networks https://blog.breekeenbeen.nl/post/automate-export-of-certificates-from-k8s-and-import-in-palo-alto-networks/ Sat, 25 Mar 2023 13:03:12 +0100 https://blog.breekeenbeen.nl/post/automate-export-of-certificates-from-k8s-and-import-in-palo-alto-networks/ <p>In my precious post I explained how to export certificates and keys from Kubernetes and how to set a password on the key file for import in Palo Alto Networks (by hand). Since I&rsquo;ve several services running on Kubernetes, all with there own certificate and key. I wanted to automate this process. This is good practice, especially since the certificates are relatively short lived, which means I need to renew the certificates on the firewall at least every 90 days. The first step I did was creating a bash script that would take care of this.</p> <p>I know I&rsquo;ve hardcoded the passphrase on the certificate key, for this temporarily solution this is fine. I can delete all <code>crt</code> and <code>key</code> files after the import.</p> <p>Next step is of course to see if I can automate this when a certificate is renewed. The <code>watch</code> command could help with this.</p> <pre><code class="language-bash">#!/bin/bash # # Description: Get all certificates from all namespaces and import them into the Palo Alto Networks firewall # Uses: awk, kubectl, openssl FW_HOST=&quot;1.2.3.4&quot; API_KEY=&quot;VERYSECRETAPIKEY&quot; while read ns cert do echo &quot;retrieving: $ns $cert&quot; # Get the certificate and key from the secret kubectl get secrets -n $ns $cert -o json | jq -r '.data.&quot;tls.crt&quot;' | base64 -d &gt; $cert.crt kubectl get secrets -n $ns $cert -o json | jq -r '.data.&quot;tls.key&quot;' | base64 -d &gt; $cert.key # Set the password for the key - This is required for the import on the Palo Alto Networks firewall openssl rsa -aes256 -in $cert.key -out $cert.key -passout &quot;pass:P@ssw0rd!&quot; # Import the certificate and key into the Palo Alto Networks firewall curl -k -X POST -F &quot;file=@$cert.crt&quot; &quot;https://$FW_HOST/api/?key=$API_KEY&amp;type=import&amp;category=certificate&amp;certificate-name=$cert&amp;format=pem&quot; curl -k -X POST -F &quot;file=@$cert.key&quot; &quot;https://$FW_HOST/api/?key=$API_KEY&amp;type=import&amp;category=private-key&amp;certificate-name=$cert&amp;format=pem&amp;passphrase=P@ssw0rd!&quot; done &lt; &lt;(kubectl get certificates -A -o custom-columns=NAMESPACE:.metadata.namespace,SECRET:.spec.secretName --no-headers --sort-by=.metadata.namespace | awk '{print $1 &quot; &quot; $2}') </code></pre>