A PowerShell console GUI for managing certificates on Palo Alto Networks firewalls via XML API.
PAN-OS Certificate Manager is a PowerShell script that provides an interactive console-based dashboard for managing SSL/TLS certificates on Palo Alto Networks firewalls via the XML API — no GUI access required.
- 📋 Dashboard — view all certificates with expiry status (valid / expiring soon / expired)
- ✅ Validation — list and inspect certificates with detailed properties
- 📥 Import — upload certificates from local
.pem,.pfxor.p12files - 📤 Export — download certificates from the firewall to a local file
- 🗑️ Delete — remove certificates from the configuration
- 🔐 Generate — create new self-signed CA certificates or certificates signed by a local CA
- 🔄 Renew — regenerate existing certificates, replace with external files, or re-enroll via SCEP
- 🔑 Multi-device — manage multiple firewalls, each with its own stored API Key
- 💾 Persistent config — device list saved locally at
~/.panoscertmgr/devices.xml
- PowerShell 5.1 or later (Windows PowerShell or PowerShell 7+)
- Network access to the firewall management interface (HTTPS, port 443)
- A PAN-OS API Key with sufficient privileges (see below)
| Device | PAN-OS |
|---|---|
| PA Series 5200 | 11.1.x |
Other PA-Series devices and PAN-OS versions should work, though some operational commands (e.g.
<days>in certificate generation) may vary by version. The script handles these differences automatically with fallback logic.
You need an API Key to authenticate the script against each firewall.
When adding a device, choose "Generate API Key with username and password". The script will contact the firewall and retrieve the key automatically.
Browser:
https://<firewall-ip>/api/?type=keygen&user=<username>&password=<password>
curl:
curl -k "https://<firewall-ip>/api/?type=keygen&user=<username>&password=<password>"The response will contain your key:
<response status="success">
<result>
<key>LUFRPT1abc123...==</key>
</result>
</response>Create a dedicated Admin Role Profile (e.g. api-certmanager) under
Device → Admin Roles → Add with the following XML API permissions:
| XML API Permission | Value |
|---|---|
| Report | ✅ Enable |
| Log | ✅ Enable |
| Configuration | ✅ Enable |
| Operational Requests | ✅ Enable |
| Commit | ✅ Enable |
| Export | ✅ Enable |
| Import | ✅ Enable |
| User-ID Agent | ❌ Disable |
| IoT Agent | ❌ Disable |
Then create an administrator account (Device → Administrators → Add) assigned to that role profile, and use those credentials to generate the API Key.
💡 The built-in
superuserrole also works, but using a dedicated least-privilege role is recommended for production environments.
# Run directly
.\PanOS-CertManager-v1.0-beta.ps1
# If execution policy blocks it
powershell -ExecutionPolicy Bypass -File .\PanOS-CertManager-v1.0-beta.ps1- Select [2] Add device from the main menu
- Enter a descriptive name, the firewall IP/hostname and PAN-OS version
- Authenticate with username/password or paste an existing API Key
- The device is saved — select it any time from [5] Manage certificates
The device list is stored in the same folder as the script:
.\devices.xml
⚠️ Do not movedevices.xmlto a different machine — API Keys are encrypted and tied to the current Windows user and machine (see below).
API Keys are never stored in plain text. The script uses the Windows Data Protection API (DPAPI) via PowerShell's ConvertFrom-SecureString to encrypt each key before saving:
| Property | Detail |
|---|---|
| Encryption | Windows DPAPI (AES-256 under the hood) |
| Tied to | Current Windows user account + machine |
| Portable? | No — keys cannot be decrypted on a different PC or user session |
| Recovery | Re-add the device and re-enter the API Key |
This means even if someone copies your devices.xml file, the API Keys inside are unreadable without your Windows session.
- The
<days>parameter for certificate validity is not supported in all PAN-OS versions via API. The script detects this and retries without it automatically. - Certificate properties (Subject, Issuer, Algorithm) may show as
N/Afor older certificates that do not populate those fields in the XML response. - SCEP renewal requires a SCEP profile to already be configured on the firewall.
- Export with private key requires the certificate to have been imported with its key pair.
This script is free to use, distribute and modify, provided that:
- The original author is credited in any redistributed or modified version
- The author line (
Author: Alex Milla - alexmilla.dev) is preserved in the script header
| Use case | Cost |
|---|---|
| Personal use | ✅ Free |
| Organizations < 50 employees | ✅ Free |
| Organizations ≥ 50 employees | ☕ Small contribution appreciated |
If your organization has 50 or more employees and finds this tool useful, a small contribution via Buy Me a Coffee is appreciated — it helps fund continued development and maintenance.
Alex Milla — alexmilla.dev