Using Let’s Encrypt in the lab to decrypt traffic traversing a Palo Alto Networks firewall. It was much easier to automate than I thought.

First, I just set WACS to store the certificate on disk when it does the renewal. Then a few commands using the firewall API

curl -F "file=@c:\pathtocertificate.pfx" "https://test.domain.com/api/?key=<APIKEY>&type=import&category=keypair&certificate-name=LECert&format=pkcs12&passphrase=<passphrase>

curl "https://test.domain.com/api/?key=<APIKEY>&type=commit&cmd=<commit></commit>"

If you get credential errors when trying to generate the API key, try to URL encode any special characters you have in your password. And when curl gives you SSL errors, use the -k switch.