Overview: Custom Certificates for Authentication

By default, Palo Alto Networks devices use predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication. However, you can configure authentication using custom certificates instead. Additionally, you can use custom certificates to secure the High Availability (HA) connections between Panorama HA peers.

Custom certificates allow you to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and log collectors. See Certificate Management for detailed information about the certificates and how to deploy them on Panorama, Log Collectors, and firewalls.

The following topics describe how to configure and manage custom certificates using Panorama.

How Are SSL/TLS Connections Mutually Authenticated?

In a regular SSL connection, only the server needs to identify itself to the client by presenting its certificate. However, in mutual SSL authentication , the client presents its certificate to the server as well. Panorama, the primary Panorama HA peer, Log Collectors, WildFire appliances, and PAN-DB appliances can act as the server. Firewalls, Log Collectors, WildFire appliances, and the secondary Panorama HA peer can act as the client. The role that a device takes on depends the deployment. For example, in the diagram below, Panorama manages a number of firewalls and a collector group and acts as the server for the firewalls and Log Collectors. The Log Collector acts as the server to the firewalls that send logs to it.

To deploy custom certificates for mutual authentication in your deployment, you need:

• SSL/TLS Service Profile —An SSL/TLS service profile defines the security of the connections by referencing your custom certificate and establishing the SSL/TLS protocol versions used by the server device to communicate with client devices.
• Server Certificate and Profile —Devices in the server role require a certificate and certificate profile to identify themselves to the client devices. You can deploy this certificate from your enterprise public key infrastructure (PKI), purchase one from a trusted third-party CA, or generate a self-signed certificate locally. The server certificate must include the IP address or FQDN of the device’s management interface in the certificate common name (CN) or Subject Alt Name. The client firewall or Log Collector matches the CN or Subject Alt Name in the certificate the server presents against the server’s IP address or FQDN to verify the server’s identity.

Additionally, use the certificate profile to define certificate revocation status (OCSP/CRL) and the actions taken based on the revocation status.

• Client Certificates and Profile —Each managed device requires a client certificate and certificate profile . The client device uses its certificate to identify itself to the server device. You can deploy certificates from your enterprise PKI, using Simple Certificate Enrollment Protocol (SCEP) , purchase one from a trusted third-party CA, or generate a self-signed certificate locally.

Custom certificates can be unique to each client device or common across all devices. The unique device certificates uses a hash of the serial number of the managed device and CN . The server matches the CN or the subject alt name against the configured serial numbers of the client devices. For client certificate validation based on the CN to occur, the username must be set to Subject common-name. The client certificate behavior also applies to Panorama HA peer connections.

You can configure the client certificate and certificate profile on each client device or push the configuration from Panorama to each device as part of a template.

This diagram shows Panorama acting as a server to managed firewalls and log collectors, while a log collector acts as a server to firewalls sending logs to it, demonstrating the roles in mutual SSL/TLS authentication.

Configure Authentication Using Custom Certificates on Panorama (Server Side)

Complete the following procedure to configure the server side (Panorama) to use custom certificates instead of predefined certificates for mutual authentication with managed devices in your deployment. See the HA documentation for configuring custom certificates on a Panorama HA pair.

1. Deploy the server certificate.

   You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise certificate authority (CA) or a trusted third-party CA.

2. On Panorama, configure a certificate profile. This certificate profile defines what certificate to use and what certificate field to look for the IP address or FQDN in.
   1. Select Panorama > Certificate Management > Certificate Profile .
   2. Configure a certificate profile .
3. If you configure an intermediate CA as part of the certificate profile, you must include the root CA as well.
4. Configure an SSL/TLS service profile.
   1. Select Panorama > Certificate Management > SSL/TLS Service Profile .
   2. Configure an SSL/TLS profile to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services.
5. Configure Secure Server Communication on Panorama or a Log Collector in the server role.
   1. Select one of the following navigation paths:
      • For Panorama: Panorama > Setup > Management and Edit the Secure Communications Settings
      • For a Log Collector: Panorama > Managed Collectors > Add > Communication
   2. Select the Customize Secure Server Communication option.
   3. Verify that the Allow Custom Certificate Only check box is not selected initially. This allows you to continue managing all devices while migrating to custom certificates.
   4. When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
   5. Select the SSL/TLS Service Profile . This profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama HA peers.
   6. Select the Certificate Profile that identifies the certificate to use to establish secure communication with clients such as firewalls.
   7. ( Optional ) Configure an authorization list. This adds security beyond certificate authentication by checking the client certificate Subject or Subject Alt Name against an identifier list.
      1. Add an Authorization List.
      2. Select the Subject or Subject Alt Name configured in the certificate profile as the Identifier type.
      3. Enter the Common Name if the identifier is Subject or an IP address, hostname or email if the identifier is Subject Alt Name.
      4. Click OK .
      5. Select Check Authorization List to enforce it.

      You can also authorize client devices based on their serial number.

   8. Select Authorize Client Based on Serial Number to authenticate clients based on managed device serial numbers. The CN or subject in the client certificate must have the special keyword $UDID to enable this.
   9. Select the Data Redistribution option in the Customize Communication section to use a custom certificate for outgoing communication with data redistribute clients.
   10. In Disconnect Wait Time (min) , specify how long Panorama should wait before terminating the current session and reestablishing the connection (0 to 44,640 minutes, blank=0).
   11. The disconnect wait time does not begin counting down until you commit the new configuration.
   12. Click OK .
   13. Commit your changes.

Configure Authentication Using Custom Certificates on Managed Devices (Client Side)

Complete the following procedure to configure the client side (firewall or Log Collector) to use custom certificates instead of predefined certificates for mutual authentication with managed devices in your deployment.

1. Upgrade each managed firewall or Log Collector. All managed devices must be running PAN-OS 8.0 or later to enforce custom certificate authentication.

   Upgrade the firewall . After upgrade, each firewall connects to Panorama using the default predefined certificates.

2. Obtain or generate the device certificate.

   You can deploy certificates via self-signed generation or obtaining from a CA.

   Set the common name to $UDID or subject to CN=$UDID (in the SCEP profile) if authorizing client devices based on serial number.

   • You can generate a self-signed certificate on Panorama or obtain one from your enterprise CA or a trusted third-party CA.
   • If using SCEP for the device certificate, configure a SCEP profile . SCEP allows automatic certificate deployment to managed devices.
3. Configure the certificate profile for the client device.

   You can configure this on each client device individually or push it via a template .

   1. Select one of the following navigation paths:
      • For firewalls—Select Device > Certificate Management > Certificate Profile .
      • For Log Collectors—Select Panorama > Certificate Management > Certificate Profile .
   2. Configure the certificate profile .
4. Deploy custom certificates on each firewall or Log Collector.
   1. Select one of the following navigation paths:
      • For firewalls: Select Device > Setup > Management and Edit the Panorama Settings
      • For Log Collectors: Select Panorama > Managed Collectors and Add a new Log Collector or select an existing one. Select Communication .
   2. Select the Secure Client Communication check box (firewall only).
   3. Select the Certificate Type .
      • If using a local device certificate, select the Certificate and Certificate Profile .
      • If using SCEP, select the SCEP Profile and Certificate Profile .
      • If using the default Panorama certificate, select Predefined .
   4. ( Optional ) Enable Check Server Identity . The client checks the CN in the server certificate against Panorama’s IP/FQDN.
   5. Click OK .
   6. Commit your changes.

   After committing your changes, the managed device does not terminate its current session with Panorama until the Disconnect Wait Time (configured on Panorama) is complete.

5. Select the incoming communication types for which you want to use a custom certificate:
   • HA Communication
   • WildFire Communication
   • Data Redistribution
6. After deploying custom certificates on ALL managed devices, enforce authentication using custom certificates on Panorama.

   The WildFire appliance does not currently support custom certificates. If your Panorama is managing a WildFire appliance, do not select Allow Custom Certificates Only .

   1. Select Panorama > Setup > Management and Edit the Panorama settings.
   2. Select Allow Custom Certificate Only .
   3. Click OK .
   4. Commit your changes.

   After committing this change, all devices managed by Panorama MUST use custom certificates. If not, authentication between Panorama and the device fails.

Add New Client Devices

When adding a new firewall or Log Collector to Panorama, the workflow depends on whether Panorama is configured to use custom certificates only for mutual authentication.

• If Allow Custom Certificates Only is not selected on Panorama: You can add the device to Panorama first using predefined certificates, and then deploy the custom certificate by following the process in Configure Authentication Using Custom Certificates on Managed Devices .
• If Allow Custom Certificates Only is selected on Panorama: You MUST deploy the custom certificates on the firewall BEFORE adding it to Panorama. If not, the managed device will not be able to authenticate with Panorama. This can be done manually through the firewall web interface or through bootstrapping as part of the bootstrap.xml file .

If a custom certificate in your deployment has expired or been revoked and needs to be replaced, see the following sections.

Change a Server Certificate

Complete the following task to replace an expired or revoked server certificate (on Panorama or a Server Log Collector).

1. Deploy the new server certificate.

   Generate or obtain the new certificate as described previously.

2. Change the certificate in the SSL/TLS Service Profile.
   1. Select Panorama > Certificate Management > SSL/TLS Service Profile and select the relevant profile.
   2. Select the new Certificate from the dropdown.
   3. Click OK .
3. Reestablish the connection between the server and client devices.
   1. Select Panorama > Setup > Management and Edit the Panorama Settings (for Panorama) or select Panorama > Managed Collectors > Add > Communication (for a Log Collector).
   2. Set the Disconnect Wait Time (e.g., to 1 minute) to force reconnection relatively quickly.
   3. Click OK .
   4. Commit your changes. Panorama will disconnect and reconnect with managed devices using the new server certificate after the wait time expires post-commit.

Change a Client Certificate

Complete the following task to replace an expired or revoked client certificate on a managed device (Firewall or Client Log Collector).

1. Obtain or generate the new device certificate.

   Ensure the CN or subject is correct, especially if using $UDID for serial number authentication.

   If using SCEP, ensure the SCEP server provides the new certificate upon request.

2. Change the certificate associated with the client device's configuration.

   This step depends on how the client certificate was initially deployed:

   • If using a local certificate (not SCEP) deployed via Template:
     1. Import the new certificate to Panorama ( Panorama > Certificate Management > Certificates > Import ).
     2. Push the new certificate to the managed device(s) via the Template ( Panorama > Templates > select template > Device > Certificate Management > Certificates ).
     3. Update the Panorama Settings within the Template Stack ( Panorama > Templates > select template stack > Templates > select template > Device > Setup > Management > Panorama Settings ). Change the selected Certificate under Secure Client Communication to the new one.
     4. Commit and Push the template changes.
   • If using a local certificate (not SCEP) configured directly on the device:
     1. Import the new certificate directly onto the firewall/log collector ( Device > Certificate Management > Certificates > Import ).
     2. Update the device's Panorama Settings ( Device > Setup > Management > Panorama Settings ). Change the selected Certificate under Secure Client Communication .
     3. Commit the changes on the device.
   • If using SCEP:
     1. Ensure the SCEP server is configured to issue the new certificate.
     2. The device should automatically attempt to renew or retrieve the certificate based on the SCEP profile settings. You may need to trigger this manually or wait for the renewal interval. Check the SCEP logs on the device.
     3. No change is typically needed in the Panorama Settings on the device/template itself, as it points to the SCEP profile, not a specific certificate.
3. The connection should re-establish using the new certificate automatically upon the next connection attempt after the certificate is updated on the client. You might force a reconnect by setting the 'Disconnect Wait Time' on Panorama if needed.

Change a Root or Intermediate CA Certificate

Replacing a CA certificate that signs either the server or client certificates requires careful steps to avoid breaking communication.

1. Temporarily disable strict custom certificate enforcement on Panorama.
   1. Select Panorama > Setup > Management and Edit the Panorama Settings.
   2. Uncheck Allow Custom Certificate Only .
   3. (Optional but recommended for safety during transition) Set the Certificate Profile under Secure Server Communication to None temporarily. This allows clients to connect even if their CA validation fails initially.
   4. Click OK .
   5. Commit your changes on Panorama.
2. Deploy the new root or intermediate CA certificate to Panorama.

   ( Panorama > Certificate Management > Certificates > Import )

3. Update the server's certificate profile on Panorama to trust the new CA.
   1. Select Panorama > Certificate Management > Certificate Profile and select the profile used for Secure Server Communication .
   2. Under CA Certificates , Add the new CA certificate.
   3. Keep the old CA certificate listed for now to allow clients still using certificates signed by the old CA to connect.
   4. Click OK .
   5. If you set the Certificate Profile to None in step 1c, re-select the updated Certificate Profile now under Panorama > Setup > Management > Panorama Settings > Secure Server Communication.
   6. Commit your changes on Panorama.
4. Deploy the new root or intermediate CA certificate to all managed devices (firewalls/log collectors).

   This can be done via Template push ( Panorama > Templates > ... > Device > Certificate Management > Certificates ) or manually on each device.

5. Generate or import new client certificates signed by the new CA.

   Deploy these new client certificates to the managed devices using the methods described in "Change a Client Certificate".

6. Update the client's certificate profile (used for validating the Panorama server certificate) to trust the new CA.
   1. Update the certificate profile used in the Panorama Settings on the client devices (or in the Template). This profile is used by the client to validate the server.
   2. Select Device > Certificate Management > Certificate Profile (or via Template path) and select the profile used by the client to validate Panorama.
   3. Under CA Certificates , Add the new CA certificate.
   4. Keep the old CA certificate listed for now if the Panorama server certificate hasn't been re-signed by the new CA yet.
   5. Click OK .
   6. Commit and Push changes if using Templates, or Commit locally.
7. (Optional but recommended) Generate or import a new server certificate for Panorama/Server Log Collector signed by the new CA. Deploy it using the steps in "Change a Server Certificate".
8. Once ALL clients and the server are using certificates signed by the new CA and their respective certificate profiles trust the new CA:
   1. Remove the old CA certificate from the server's certificate profile on Panorama.
   2. Remove the old CA certificate from the client's certificate profile on managed devices (or template).
   3. Re-enable strict custom certificate enforcement on Panorama.
      1. Select Panorama > Setup > Management and Edit the Panorama Settings.
      2. Check Allow Custom Certificate Only .
      3. Ensure the correct (updated) Certificate Profile is selected.
      4. Click OK .
      5. Commit your changes on Panorama.

Replacing a CA certificate is complex. Plan carefully and perform steps during a maintenance window. Ensure rollback procedures are in place.

Diagrams

Mutual SSL/TLS Authentication Flow

sequenceDiagram
    participant Client (Firewall/Log Collector)
    participant Server (Panorama/Log Collector)
    Client->>Server: Initiate Connection (ClientHello)
    Server->>Client: Send Server Certificate, Request Client Certificate (ServerHello, Certificate, CertificateRequest)
    Client->>Server: Verify Server Certificate (Checks CN/SAN against IP/FQDN, checks trust chain via its Cert Profile)
    Client->>Server: Send Client Certificate, CertificateVerify (Client Certificate, CertificateVerify)
    Server->>Client: Verify Client Certificate (Checks trust chain via its Cert Profile, checks Authorization List/Serial# if configured)
    Server->>Client: Finished (ChangeCipherSpec, Finished)
    Client->>Server: Finished (ChangeCipherSpec, Finished)
    Note right of Server: Secure Connection Established
            

Sequence diagram illustrating the handshake process for mutual SSL/TLS authentication between a client (like a firewall) and a server (like Panorama).

Configuration Process Overview

graph TD
    A[Start Configuration] --> B{Configure Server Side? (Panorama/Log Collector)};
    B -- Yes --> C[Deploy/Generate Server Certificate];
    C --> D[Create Server Certificate Profile (Trusts Client CAs)];
    D --> E[Create SSL/TLS Service Profile (Uses Server Cert)];
    E --> F[Configure Secure Server Communication (Use Profiles, Set Options)];
    F --> G{Configure Client Side? (Firewall/Log Collector)};
    B -- No --> G;

    G -- Yes --> H[Deploy/Generate Client Certificate (Consider $UDID)];
    H --> I[Create Client Certificate Profile (Trusts Server CA)];
    I --> J[Configure Client Communication Settings (Use Client Cert/Profile, Check Server ID?)];
    J --> K[Commit & Verify Connection];
    G -- No --> K;

    K --> L{Enforce Custom Certs Only?};
    L -- Yes --> M[Enable 'Allow Custom Cert Only' on Panorama Server];
    M --> N[Commit & Verify];
    L -- No --> N[End Configuration];
            

Flowchart showing the general steps involved in configuring custom certificates for both the server (Panorama) and client (Managed Device) sides.

Interactive Quiz

Test your understanding of configuring custom certificates for mutual authentication.

Submit Quiz