Add certs to a vsys - multiple issues

[gmmd001]

Describe the bug

Multiple issues when adding certs to a vsys on Panorama - No Trusted CA attribute; stored in Shared; cannot be removed

Expected behavior

Cert gets added to the vsys location, is marked as a Trusted CA and can be removed from the GUI

Current behavior

Specifying a --vsys argument causes the cert load to put the cert in ssl-decrypt/trusted-root-CA xpath, but the certs show up in Panorama with the "Shared" location, the Trusted CA attribute is missing, and the certs cannot be deleted from Panorama: 1- Failed to delete Certificate - 9005-F01C1ACA392882AF152E9F01EC. °  9005-F01C1ACA392882AF152E9F01EC cannot be deleted because of references from: °  template -> Master-Template -> config -> devices -> localhost.localdomain -> vsys -> TEST Virtual Firewall -> ssl-decrypt -> trusted-root-CA

Possible solution

No idea - I see a comment in the code for vsys loading: if args.vsys is not None:

XXX does not work

        kwargs['extra_qs']['target-tpl-vsys'] = args.vsys

so maybe this is a known issue?

Steps to reproduce

1. Load certs using the -vsys argument
2. Check the Device/Certificates vsys location in Panorama - certs show as Shared with no Trusted CA attrubute
3. Try deleting the cert from the vsys location or from Shared - both fail

Screenshots

Context

Trying to load certs to only one vsys due to election change freeze windows

Your Environment

Panorama 10.2.9-h11 Python 3.10.12 chainguard 0.5.0

[kevinsteves]

Import to Panorama template with vsys doesn't work today due to a PAN-OS issue with target-tpl-vsys. This is issue ID PAN-257229, and has been addressed, however it's not yet available in any Panorama release.

If you are able to log a support case and reference PAN-257229 and your Panorama version, it will help to prioritise the need to back port the fix.

[gmmd001]

Thanks for the info. I'll open a case and bug my SE about this too and see if we can get it released.