Palo Alto Networks Certificate Management

Overview: Custom Certificates for Authentication

By default, Palo Alto Networks devices use predefined certificates for mutual authentication to establish the SSL connections used for management access and inter-device communication. However, you can configure authentication using custom certificates instead. Additionally, you can use custom certificates to secure the High Availability (HA) connections between Panorama HA peers.

Custom certificates allow you to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and log collectors. See Certificate Management for detailed information about the certificates and how to deploy them on Panorama, Log Collectors, and firewalls.

The following topics describe how to configure and manage custom certificates using Panorama.

How Are SSL/TLS Connections Mutually Authenticated?

In a regular SSL connection, only the server needs to identify itself to the client by presenting its certificate. However, in mutual SSL authentication , the client presents its certificate to the server as well. Panorama, the primary Panorama HA peer, Log Collectors, WildFire appliances, and PAN-DB appliances can act as the server. Firewalls, Log Collectors, WildFire appliances, and the secondary Panorama HA peer can act as the client. The role that a device takes on depends the deployment. For example, in the diagram below, Panorama manages a number of firewalls and a collector group and acts as the server for the firewalls and Log Collectors. The Log Collector acts as the server to the firewalls that send logs to it.

To deploy custom certificates for mutual authentication in your deployment, you need:

SSL/TLS Service Profile — An SSL/TLS service profile defines the security of the connections by referencing your custom certificate and establishing the SSL/TLS protocol versions used by the server device to communicate with client devices.
Server Certificate and Profile — Devices in the server role require a certificate and certificate profile to identify themselves to the client devices. You can deploy this certificate from your enterprise public key infrastructure (PKI), purchase one from a trusted third-party CA, or generate a self-signed certificate locally. The server certificate must include the IP address or FQDN of the device’s management interface in the certificate common name (CN) or Subject Alt Name. The client firewall or Log Collector matches the CN or Subject Alt Name in the certificate the server presents against the server’s IP address or FQDN to verify the server’s identity.

Additionally, use the certificate profile to define certificate revocation status (OCSP/CRL) and the actions taken based on the revocation status.

Client Certificates and Profile — Each managed device requires a client certificate and certificate profile . The client device uses its certificate to identify itself to the server device. You can deploy certificates from your enterprise PKI, using Simple Certificate Enrollment Protocol (SCEP) , purchase one from a trusted third-party CA, or generate a self-signed certificate locally.

Custom certificates can be unique to each client device or common across all devices. The unique device certificates uses a hash of the serial number of the managed device and CN . The server matches the CN or the subject alt name against the configured serial numbers of the client devices. For client certificate validation based on the CN to occur, the username must be set to Subject common-name. The client certificate behavior also applies to Panorama HA peer connections.

You can configure the client certificate and certificate profile on each client device or push the configuration from Panorama to each device as part of a template.

Configure an SSL/TLS Service Profile

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS or Panorama Managed)	For cloud-managed NGFWs: AIOps for NGFW Premium

Where Can I Use This?

What Do I Need?

NGFW (Cloud Managed)
NGFW (PAN-OS or Panorama Managed)

For cloud-managed NGFWs:

AIOps for NGFW Premium

Palo Alto Networks firewalls and Panorama appliances use SSL/TLS to secure connections to the Authentication Portal, GlobalProtect portals and gateways, the management interface, HTTPS websites that require password access (URL admin override), and the User-ID™ syslog listening service. You can create an SSL/TLS service profile to define the server certificate, SSL/TLS protocol versions, and ciphers supported for connections to these services. Cipher suites are automatically selected based on the protocol versions chosen. However, you can disable individual ciphers as needed. If a service request involves a protocol version outside the specified range, the firewall or Panorama appliance downgrades or upgrades the connection to a supported version. To activate an SSL/TLS service profile, attach the profile to the settings for a specific service.

In the client systems that request firewall services, the certificate trust list (CTL) must include the certificate authority (CA) certificate that issued the certificate specified in the SSL/TLS service profile. Otherwise, users will see a certificate error when requesting firewall services. Most third-party CA certificates are present by default in client browsers. If an enterprise or firewall-generated CA certificate is the issuer, you must deploy that CA certificate to the CTL in client browsers.

TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.

Steps (PAN-OS & Panorama)

For each desired service, generate or import a certificate on the firewall (see Obtain Certificates ).
Use only signed certificates, not CA certificates, in SSL/TLS service profiles.
Select Device > Certificate Management > SSL/TLS Service Profile .
If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared ) where the profile is available.
Click Add and enter a Name to identify the profile.
Select the Certificate you obtained in step one.
Under Protocol Settings , define the range of TLS versions that the service can use.
TLSv1.3 support is limited to administrative access to management interfaces and GlobalProtect portals and gateways. You can only attach SSL/TLS service profiles that allow TLSv1.3 to the settings for these services.
- Administrative Access and GlobalProtect Portals and Gateways:
  - For the Min Version , select the earliest allowed TLS version: TLSv1.0 , TLSv1.1 , TLSv1.2 , or TLSv1.3 .
  - For the Max Version , select the latest allowed TLS version: TLSv1.0 , TLSv1.1 , TLSv1.2 , or TLSv1.3 .
  - Recommendation: Min TLSv1.2, Max TLSv1.3 (if supported by clients) or TLSv1.2.
- All Other Services:
  - For the Min Version , select the earliest allowed TLS version: TLSv1.0 , TLSv1.1 , or TLSv1.2 .
  - For the Max Version , select the latest allowed TLS version: TLSv1.0 , TLSv1.1 , or TLSv1.2 .
  - Recommendation: Min TLSv1.2, Max TLSv1.2. Avoid TLSv1.0/1.1 unless legacy compatibility is strictly required.
(Optional) Deselect any Key Exchange Algorithms , Encryption Algorithms , or Authentication Algorithms to restrict cipher suites further.
Click OK and Commit your changes.

Configure a Certificate Profile

Certificate profiles define user and device authentication for Authentication Portal, multi-factor authentication (MFA), GlobalProtect, site-to-site IPSec VPN, external dynamic list validation, dynamic DNS (DDNS), User-ID agent and TS agent access, and web interface access to Palo Alto Networks firewalls or Panorama. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access. Configure a certificate profile for each application.

Enable Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL) status verification in certificate profiles to verify that a certificate hasn’t been revoked. Enable both OCSP and CRL so that if the OCSP server isn’t available, the firewall uses CRL. For details on these methods, see Certificate Revocation .

Steps

Obtain the certificate authority (CA) certificates you will assign to the profile.
Assign at least one certificate to a certificate profile. Choose one of the following options to obtain the CA certificates you will assign to the profile.
- Generate a certificate locally on the device.
- Export a certificate from your enterprise CA, then import it onto the firewall (refer to step 3.2 below).
Identify the certificate profile.
1. Select Device > Certificate Management > Certificate Profile , and then Add a profile.
2. Enter a Name to identify the profile. (Case-sensitive, unique, up to 63 chars on FW / 31 on Panorama. Letters, numbers, spaces, hyphens, underscores allowed).
3. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared ) for the certificate.
Assign one or more CA certificates to the profile. Repeat the following steps for each CA certificate:
1. In the CA Certificates table, click Add .
2. Select a CA Certificate from the dropdown (must be imported previously).
  Alternatively, you can Import a certificate directly here. To import, enter a Certificate Name , Browse for a Certificate File you exported from an enterprise CA, and then click OK .
3. (Optional) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
  - By default, the firewall uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a Default OCSP URL (starting with http:// or https:// ).
  - By default, the firewall uses the certificate selected in the CA Certificate field to validate OCSP responses. To use a different certificate for validation, select it in the OCSP Verify CA Certificate field.
4. Click OK . The CA Certificates table displays the assigned certificate.
Define the methods for verifying certificate revocation status and the associated blocking behavior.
1. Select Use CRL or Use OCSP . If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.
2. Depending on the verification method, specify a CRL Receive Timeout or OCSP Receive Timeout value in seconds (range is 1 to 60). After these intervals, the firewall stops waiting for a response from the CRL or OCSP service.
3. Specify a Certificate Status Timeout in seconds (range is 1 to 60). After this interval, the firewall stops waiting for a response from either certificate status service and applies any session-blocking logic you define. The Certificate Status Timeout relates to the OCSP or CRL Receive Timeout setting as follows:
  - If both OCSP and CRL enabled: Timeout occurs after lesser of ( Certificate Status Timeout ) or ( OCSP Receive Timeout + CRL Receive Timeout ).
  - If only OCSP enabled: Timeout occurs after lesser of ( Certificate Status Timeout ) or ( OCSP Receive Timeout ).
  - If only CRL enabled: Timeout occurs after lesser of ( Certificate Status Timeout ) or ( CRL Receive Timeout ).
4. Block sessions if certificate status is unknown . If selected, the firewall blocks sessions when the OCSP or CRL service returns a status of unknown. Otherwise, the firewall allows these sessions.
5. Block sessions if certificate status cannot be retrieved within timeout . If selected, the firewall blocks sessions after the firewall registers the timeout of an OCSP or CRL request. Otherwise, the firewall allows these sessions.
6. ( GlobalProtect only ) Block sessions if the certificate was not issued to the authenticating device . If selected, the firewall blocks sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint.
7. Block sessions with expired certificates . (Generally recommended to keep enabled).
Click OK , then Commit your changes.

Configure Authentication Using Custom Certificates on Panorama (Server Side)

Complete the following procedure to configure the server side (Panorama) to use custom certificates instead of predefined certificates for mutual authentication with managed devices in your deployment. See the HA documentation for configuring custom certificates on a Panorama HA pair.

Deploy the server certificate.
You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise certificate authority (CA) or a trusted third-party CA.

Ensure the server certificate contains the Panorama management interface IP address or FQDN in its Common Name (CN) or Subject Alternative Name (SAN).
On Panorama, configure a certificate profile. This certificate profile defines which CAs are trusted to sign the *client* certificates connecting to Panorama.
1. Select Panorama > Certificate Management > Certificate Profile .
2. Configure a certificate profile , adding the CA(s) that signed (or will sign) your managed device certificates. Configure revocation checking as needed.
If you configure an intermediate CA as part of the certificate profile, you must include the root CA as well.
Configure an SSL/TLS service profile.
1. Select Panorama > Certificate Management > SSL/TLS Service Profile .
2. Configure an SSL/TLS profile that references the *server certificate* deployed in step 1 and specifies the desired TLS versions/ciphers for management connections.
Configure Secure Server Communication on Panorama or a Log Collector in the server role.
1. Select one of the following navigation paths:
  - For Panorama: Panorama > Setup > Management and Edit the Secure Communications Settings
  - For a Log Collector: Panorama > Managed Collectors > Add > Communication (or Edit existing)
2. Select the Customize Secure Server Communication option.
3. Verify that the Allow Custom Certificate Only check box is *not* selected initially. This allows you to continue managing all devices while migrating to custom certificates.
4. When the Custom Certificate Only check box is selected, Panorama does not authenticate and cannot manage devices using predefined certificates.
5. Select the SSL/TLS Service Profile created in step 3. This profile applies to all SSL connections between Panorama, firewalls, Log Collectors, and Panorama HA peers.
6. Select the Certificate Profile created in step 2. This profile is used by Panorama to validate the certificates presented by connecting clients (firewalls, log collectors).
7. (Optional) Configure an authorization list. This adds security beyond certificate authentication by checking the client certificate Subject or Subject Alt Name against an identifier list.
  1. Add an Authorization List.
  2. Select the Subject or Subject Alt Name configured in the certificate profile as the Identifier type.
  3. Enter the Common Name if the identifier is Subject or an IP address, hostname or email if the identifier is Subject Alt Name.
  4. Click OK .
  5. Select Check Authorization List to enforce it.
  You can also authorize client devices based on their serial number.
8. Select Authorize Client Based on Serial Number to authenticate clients based on managed device serial numbers. The CN or subject in the client certificate must have the special keyword $UDID to enable this.
9. (If applicable) Select the Data Redistribution option in the Customize Communication section to use a custom certificate for outgoing communication with data redistribute clients.
10. In Disconnect Wait Time (min) , specify how long Panorama should wait before terminating the current session and reestablishing the connection (0 to 44,640 minutes, blank=0). This is useful when rolling out certificate changes.
11. The disconnect wait time does not begin counting down until you commit the new configuration.
12. Click OK .
13. Commit your changes on Panorama.

Configure Authentication Using Custom Certificates on Managed Devices (Client Side)

Complete the following procedure to configure the client side (firewall or Log Collector) to use custom certificates instead of predefined certificates for mutual authentication with Panorama (or a server Log Collector).

Upgrade each managed firewall or Log Collector. All managed devices must be running PAN-OS 8.0 or later to enforce custom certificate authentication.
Upgrade the firewall . After upgrade, each firewall connects to Panorama using the default predefined certificates initially.
Obtain or generate the device certificate (client certificate).
You can deploy certificates via self-signed generation or obtaining from a CA.

Set the common name to $UDID or subject to CN=$UDID (in the SCEP profile) if authorizing client devices based on serial number on the Panorama side.
- You can generate a self-signed certificate on Panorama (and push it) or obtain one from your enterprise CA or a trusted third-party CA.
- If using SCEP for the device certificate, configure a SCEP profile . SCEP allows automatic certificate deployment to managed devices.
Configure the certificate profile for the client device. This profile is used by the client to *validate the server's (Panorama's) certificate*.
You can configure this on each client device individually or push it via a template .
1. Select one of the following navigation paths:
  - For firewalls—Select Device > Certificate Management > Certificate Profile (or configure within a Panorama Template).
  - For Log Collectors—Select Panorama > Certificate Management > Certificate Profile (applied via Collector Group config later).
2. Configure the certificate profile . Add the CA certificate(s) that signed the *Panorama server certificate*. Configure revocation checking as needed.
Deploy the client certificate settings on each firewall or Log Collector.
1. Select one of the following navigation paths:
  - For firewalls: Select Device > Setup > Management and Edit the Panorama Settings (or configure within a Panorama Template/Template Stack).
  - For Log Collectors: Select Panorama > Managed Collectors and Add a new Log Collector or select an existing one. Select Communication .
2. Select the Secure Client Communication check box (firewall only, under Panorama Settings).
3. Select the Certificate Type .
  - If using a local device certificate: Select the Certificate (client cert) and the Certificate Profile (created in step 3, validates Panorama cert).
  - If using SCEP: Select the SCEP Profile and the Certificate Profile (created in step 3).
  - If reverting or initially connecting: Select Predefined .
4. (Optional, Recommended) Enable Check Server Identity . The client checks the CN/SAN in the server certificate against Panorama’s IP/FQDN configured in Panorama Settings.
5. Click OK .
6. Commit your changes (locally or Push from Panorama).
After committing your changes, the managed device does not terminate its current session with Panorama until the Disconnect Wait Time (configured on Panorama) is complete.
(If applicable on Log Collectors) Select the incoming communication types for which you want to use a custom certificate:
- HA Communication
- WildFire Communication
- Data Redistribution
After deploying custom certificates on ALL managed devices, enforce authentication using custom certificates on Panorama.
The WildFire appliance does *not* currently support custom certificates for its management connection. If your Panorama is managing a WildFire appliance, do *not* select Allow Custom Certificates Only .
1. Select Panorama > Setup > Management and Edit the Panorama settings.
2. Select Allow Custom Certificate Only .
3. Click OK .
4. Commit your changes on Panorama.
After committing this change, all devices managed by Panorama MUST use custom certificates. If not, authentication between Panorama and the device fails.

Add New Client Devices

When adding a new firewall or Log Collector to Panorama, the workflow depends on whether Panorama is configured to use custom certificates only for mutual authentication.

If Allow Custom Certificates Only is not selected on Panorama: You can add the device to Panorama first using predefined certificates, and then deploy the custom certificate by following the process in Configure Authentication Using Custom Certificates on Managed Devices .
If Allow Custom Certificates Only is selected on Panorama: You MUST deploy the custom certificates on the firewall *BEFORE* adding it to Panorama. If not, the managed device will not be able to authenticate with Panorama. This can be done manually through the firewall web interface or through bootstrapping as part of the bootstrap.xml file .

If a custom certificate in your deployment has expired or been revoked and needs to be replaced, see the Certificate Replacement sections.

WildFire Appliance Mutual SSL Authentication

Where Can I Use This?	What Do I Need?
WildFire Appliance	WildFire License

When a firewall or Panorama sends a sample to a WildFire appliance for analysis, the firewall acts as the client and the WildFire appliance acts as the server. To mutually authenticate, each device presents a certificate to identify itself to the other device.

To deploy custom certificates for mutual authentication in your deployment, you need:

SSL/TLS Service Profile (on WF Appliance) —An SSL/TLS service profile defines the security of the connections by referencing the WildFire appliance's custom server certificate and establishing the SSL/TLS protocol version.
Server Certificate and Profile (on WF Appliance) —The WildFire appliance requires a certificate and certificate profile to identify itself to firewalls. You can deploy this certificate from your enterprise PKI, purchase one, or generate a self-signed certificate. The server certificate must include the IP address or FQDN of the WildFire appliance’s management interface in the certificate common name (CN) or Subject Alt Name. The firewall matches the CN/SAN against the WildFire appliance’s IP/FQDN to verify its identity. The Certificate Profile on the WF appliance defines trusted CAs for validating *client* (firewall) certificates and revocation checking.
Client Certificates and Profile (on Firewall/Panorama) —Each firewall requires a client certificate and certificate profile . The firewall uses its certificate to identify itself to the WildFire appliance. Deploy certificates via PKI (SCEP), purchase, or generate self-signed. The Certificate Profile on the firewall defines the trusted CA for validating the *WildFire appliance's* server certificate.

Configure Authentication with Custom Certificates on the WildFire Appliance (CLI)

Use the following workflow to replace predefined certificates with custom certificates in your WildFire deployment using the WildFire appliance CLI.

Obtain key pairs and certificate authority (CA) certificates for the WildFire appliance (server) and the connecting firewalls/Panorama (clients).
Import the CA certificate(s) used to validate the *firewall client certificates* onto the WildFire appliance.
1. Log in to the CLI on the WildFire appliance and enter configuration mode. admin@WF-500> configure
2. Use TFTP or SCP to import the CA certificate(s). admin@WF-500# {tftp | scp} import certificate from <host> file <remote-path/filename> certificate-name <local-cert-name> [format pem] ...
Import the keypair (server certificate and private key) for the WildFire appliance. admin@WF-500# {tftp | scp} import keypair from <host> file <remote-path/filename> certificate-name <local-cert-name> [passphrase <pwd>] [format {pkcs12 | pem}] ...
Ensure this server certificate has the WF appliance management IP/FQDN in its CN or SAN.
Configure a certificate profile on the WildFire appliance. This profile defines how the appliance validates *client* (firewall) certificates.
1. Name the certificate profile. admin@WF-500# set shared certificate-profile <profile-name>
2. Add the CA certificate(s) (imported in step 2) that signed the firewall client certificates. admin@WF-500# set shared certificate-profile <profile-name> ca <imported-ca-cert-name>
3. Configure revocation checking (OCSP/CRL) within the profile as needed (commands omitted for brevity, similar to GUI options).
Configure an SSL/TLS service profile for the WildFire appliance. This profile defines the *server certificate* the appliance uses and the TLS settings.
1. Identify the SSL/TLS profile name. admin@WF-500# set shared ssl-tls-service-profile <ssltls-profile-name>
2. Select the WildFire appliance's server certificate (imported in step 3). admin@WF-500# set shared ssl-tls-service-profile <ssltls-profile-name> certificate <wf-server-cert-name>
3. Define the SSL/TLS protocol range.
  PAN-OS supports TLS 1.2 and later TLS versions only. You must set the max version to TLS 1.2 or max.
  admin@WF-500# set shared ssl-tls-service-profile <ssltls-profile-name> protocol-settings min-version {tls1-2} admin@WF-500# set shared ssl-tls-service-profile <ssltls-profile-name> protocol-settings max-version {tls1-2 | max}
Configure secure server communication on the WildFire appliance to use the new profiles.
1. Set the SSL/TLS service profile (from step 5). This profile applies to all incoming SSL connections from firewalls. admin@WF-500# set deviceconfig setting management secure-conn-server ssl-tls-service-profile <ssltls-profile-name>
2. Set the certificate profile (from step 4). This profile is used to validate incoming client certificates. admin@WF-500# set deviceconfig setting management secure-conn-server certificate-profile <profile-name>
Commit the changes on the WildFire appliance. admin@WF-500# commit
On the connecting firewalls/Panorama, configure the WildFire settings ( Device > Setup > WildFire ) to:
- Point to the WildFire appliance IP/FQDN.
- Select the firewall's Client Certificate .
- Select the firewall's Certificate Profile (which trusts the WildFire appliance's server CA).
- Enable Validate Server Certificate .
- Commit changes on the firewall/Panorama.

Change a Server Certificate (Panorama or Server Log Collector)

Complete the following task to replace an expired or revoked server certificate on Panorama or a server Log Collector acting as the server in mutual authentication.

Deploy the new server certificate.
Generate or obtain the new certificate. Ensure it contains the correct IP/FQDN in the CN or SAN.

Import the new certificate onto Panorama ( Panorama > Certificate Management > Certificates > Import ).
Change the certificate in the SSL/TLS Service Profile used for server communication.
1. Select Panorama > Certificate Management > SSL/TLS Service Profile and select the profile used in the Secure Server Communication settings.
2. Select the new Certificate from the dropdown.
3. Click OK .
Reestablish the connection between the server and client devices.
1. Navigate to the Secure Communication Settings:
  - For Panorama: Panorama > Setup > Management > Edit Panorama Settings.
  - For a Log Collector: Panorama > Managed Collectors > select collector > Communication .
2. Set the Disconnect Wait Time (e.g., to 1 minute) to force reconnection relatively quickly after the commit.
3. Click OK .
4. Commit your changes on Panorama. Panorama will disconnect and reconnect with managed devices using the new server certificate after the wait time expires post-commit.

Change a Client Certificate (Managed Firewall or Log Collector)

Complete the following task to replace an expired or revoked client certificate on a managed device (Firewall or Client Log Collector).

Obtain or generate the new device certificate (client certificate).
Ensure the CN or subject is correct, especially if using $UDID for serial number authentication.

If using SCEP, ensure the SCEP server provides the new certificate upon request.
Change the certificate associated with the client device's configuration. This step depends on how the client certificate was initially deployed:
- If using a local certificate (not SCEP) deployed via Template:
  1. Import the new certificate to Panorama ( Panorama > Certificate Management > Certificates > Import ).
  2. Push the new certificate to the managed device(s) via the Template ( Panorama > Templates > select template > Device > Certificate Management > Certificates ). Add the new cert here.
  3. Update the Panorama Settings within the Template Stack ( Panorama > Templates > select template stack > Templates > select template > Device > Setup > Management > Panorama Settings ). Change the selected Certificate under Secure Client Communication to the new one.
  4. Commit and Push the template changes.
- If using a local certificate (not SCEP) configured directly on the device:
  1. Import the new certificate directly onto the firewall/log collector ( Device > Certificate Management > Certificates > Import ).
  2. Update the device's Panorama Settings ( Device > Setup > Management > Panorama Settings ). Change the selected Certificate under Secure Client Communication .
  3. Commit the changes on the device.
- If using SCEP:
  1. Ensure the SCEP server is configured to issue the new certificate.
  2. The device should automatically attempt to renew or retrieve the certificate based on the SCEP profile settings. You may need to trigger this manually (e.g., via CLI `request certificate enroll ...`) or wait for the renewal interval. Check the SCEP logs on the device (e.g., `less mp-log scep.log`).
  3. No change is typically needed in the Panorama Settings on the device/template itself, as it points to the SCEP profile, not a specific certificate.
The connection should re-establish using the new certificate automatically upon the next connection attempt after the certificate is updated on the client. You might force a reconnect by setting the 'Disconnect Wait Time' on Panorama if needed.

Change a Root or Intermediate CA Certificate

Replacing a CA certificate that signs either the server or client certificates requires careful steps to avoid breaking communication. This is the most complex replacement scenario.

Temporarily disable strict custom certificate enforcement on Panorama.
1. Select Panorama > Setup > Management and Edit the Panorama Settings.
2. Uncheck Allow Custom Certificate Only .
3. (Optional but recommended for safety during transition) Set the Certificate Profile under Secure Server Communication to None temporarily. This allows clients to connect even if their CA validation fails initially.
4. Click OK .
5. Commit your changes on Panorama.
Deploy the new root or intermediate CA certificate to Panorama.
( Panorama > Certificate Management > Certificates > Import )
Update the server's certificate profile on Panorama to trust the new CA (for validating client certs).
1. Select Panorama > Certificate Management > Certificate Profile and select the profile used for Secure Server Communication .
2. Under CA Certificates , Add the new CA certificate.
3. Keep the old CA certificate listed for now to allow clients still using certificates signed by the old CA to connect.
4. Click OK .
5. If you set the Certificate Profile to None in step 1c, re-select the updated Certificate Profile now under Panorama > Setup > Management > Panorama Settings > Secure Server Communication.
6. Commit your changes on Panorama.
Deploy the new root or intermediate CA certificate to all managed devices (firewalls/log collectors).
This can be done via Template push ( Panorama > Templates > ... > Device > Certificate Management > Certificates ) or manually on each device.
Generate or import new client certificates for all managed devices, signed by the new CA.
Deploy these new client certificates to the managed devices using the methods described in the "Change a Client Certificate" section.
Update the client's certificate profile (used for validating the Panorama server certificate) to trust the new CA.
1. Update the certificate profile used in the Panorama Settings on the client devices (or in the Template). This profile is used by the client to validate the server.
2. Select Device > Certificate Management > Certificate Profile (or via Template path) and select the profile used by the client to validate Panorama.
3. Under CA Certificates , Add the new CA certificate.
4. Keep the old CA certificate listed for now if the Panorama server certificate hasn't been re-signed by the new CA yet.
5. Click OK .
6. Commit and Push changes if using Templates, or Commit locally.
(Optional but recommended) Generate or import a new server certificate for Panorama/Server Log Collector signed by the new CA. Deploy it using the steps in "Change a Server Certificate". If you do this, ensure clients trust the new CA (Step 7) before applying the new server cert.
Once ALL clients and the server are using certificates signed by the new CA AND their respective certificate profiles trust the new CA:
1. Remove the old CA certificate from the server's certificate profile on Panorama.
2. Remove the old CA certificate from the client's certificate profile on managed devices (or template).
3. Re-enable strict custom certificate enforcement on Panorama.
  1. Select Panorama > Setup > Management and Edit the Panorama Settings.
  2. Check Allow Custom Certificate Only .
  3. Ensure the correct (updated) Certificate Profile is selected for validating clients.
  4. Click OK .
  5. Commit your changes on Panorama.

Replacing a CA certificate is complex. Plan carefully and perform steps during a maintenance window. Ensure rollback procedures are in place.

Diagrams

Mutual SSL/TLS Authentication Flow

Configuration Process Overview

Flowchart showing the general steps involved in configuring custom certificates for both the server (Panorama) and client (Managed Device) sides.

Interactive Quiz

Test your understanding of configuring custom certificates and profiles.

1. What is the primary role of an SSL/TLS Service Profile on a Palo Alto Networks device?

To define which Certificate Authority (CA) certificates are trusted for validating incoming connections. To specify the server certificate the device presents and the allowed TLS versions/ciphers for services like GlobalProtect or Management UI. To automatically enroll the device for a certificate using SCEP. To configure certificate revocation checking using OCSP and CRL.

2. Which component is primarily responsible for validating the certificate presented *by* a client (e.g., a firewall connecting to Panorama) and checking its revocation status?

The SSL/TLS Service Profile on the client. The SCEP Profile on the server (Panorama). The SSL/TLS Service Profile on the server (Panorama). The Certificate Profile on the server (Panorama).

3. When configuring custom certificate authentication for Panorama management, what identifying information *must* be present in the Panorama server certificate's CN or SAN field?

The serial number of the Panorama appliance. The keyword "$UDID". The IP address or FQDN of the Panorama management interface. The name of the Certificate Profile used.

4. If you want Panorama to authenticate connecting firewalls based specifically on their serial numbers, which configuration steps are required?

Enable "Authorize Client Based on Serial Number" in Panorama's Secure Communication settings AND ensure the firewall's client certificate CN or Subject contains "$UDID". Configure an Authorization List in Panorama's Secure Communication settings with the firewalls' serial numbers. Ensure the firewall's client certificate SAN contains its serial number AND enable "Check Server Identity" on the firewall. Use SCEP for certificate deployment and configure the SCEP profile with serial number validation.

5. What is the recommended practice regarding the "Allow Custom Certificate Only" setting on Panorama during the initial migration from predefined to custom certificates?

Enable it immediately to force all devices to switch. Keep it disabled until *all* managed devices have been successfully configured with custom certificates and verified. Enable it, but also configure a fallback SCEP profile. It doesn't matter; devices will automatically use custom certs if available.

6. Which PAN-OS feature allows for automated deployment and renewal of client certificates on managed firewalls, often used with an enterprise CA?

SSL/TLS Service Profile Bootstrapping with XML Simple Certificate Enrollment Protocol (SCEP) Certificate Profile with OCSP

7. When replacing an Intermediate CA certificate that signs client certificates, why must the *old* CA certificate temporarily remain in the Panorama server's Certificate Profile?

To allow Panorama to sign certificates with both CAs. To allow clients still using certificates signed by the old CA to authenticate while others are migrated to the new CA. To ensure the OCSP responder for the old CA is still reachable. This is not necessary; the old CA should be removed immediately.

8. If a firewall fails to connect to Panorama after enabling custom certificates, and the logs show "SSL handshake failed," what is LEAST likely to be the direct cause?

The firewall's Certificate Profile doesn't trust the Panorama server's CA. Panorama's Certificate Profile doesn't trust the firewall's CA. The firewall's client certificate has expired or been revoked (and blocking is enabled). The "Disconnect Wait Time" on Panorama is set too low.

9. Can a Certificate Profile be used for multiple purposes (e.g., both GlobalProtect client authentication and Site-to-Site VPN peer authentication)?

Yes, a single Certificate Profile can be configured with the necessary CAs and revocation settings and applied to multiple features. No, each feature requiring certificate authentication needs a completely unique Certificate Profile. Yes, but only if the same CA signs certificates for all purposes. No, Certificate Profiles are only used for management plane connections.

10. What is the purpose of the "Check Server Identity" option within the Panorama Settings on a managed firewall?

To verify that Panorama has a valid license installed. To ensure the firewall is running the same PAN-OS version as Panorama. To make the firewall validate that the Panorama server certificate's CN/SAN matches the configured Panorama IP/FQDN. To force the firewall to check Panorama's certificate revocation status via OCSP.

11. Which type of certificate should be selected within an SSL/TLS Service Profile?

A Root CA certificate. A signed server certificate (end-entity certificate). An Intermediate CA certificate. A SCEP profile placeholder.

12. If both OCSP and CRL are enabled in a Certificate Profile, which method does the firewall attempt first for revocation checking?

OCSP CRL Whichever has the shorter Receive Timeout configured. They are checked in parallel.

13. Adding a new firewall to Panorama requires configuring Panorama settings on the firewall. Where can these settings be applied?

Only directly on the firewall's web interface under Device > Setup. Only via a Panorama Template Stack. Only through bootstrapping using an XML file. Directly on the firewall (Device > Setup), via Panorama Template/Stack, or via bootstrapping.

14. Which setting in a Certificate Profile specifically blocks access if the OCSP/CRL server is unreachable within the defined timeout?

Block sessions if certificate status is unknown. Block sessions with expired certificates. Block sessions if certificate status cannot be retrieved within timeout. Block sessions if the certificate was not issued to the authenticating device.

15. For which service is TLSv1.3 support currently restricted when configuring an SSL/TLS Service Profile?

Site-to-Site IPSec VPN GlobalProtect Portals and Gateways & Management Interface Access User-ID Syslog Listener Authentication Portal

16. When configuring a WildFire appliance for mutual authentication using custom certificates via CLI, which command sequence imports the appliance's own server certificate and private key?

`import keypair ...` `import certificate ...` `set shared certificate-profile ...` `set shared ssl-tls-service-profile ... certificate ...`

17. If you import an Intermediate CA certificate into a Certificate Profile, what else is essential for validating the full chain?

The client's end-entity certificate. The OCSP responder's certificate. The SCEP server's certificate. The Root CA certificate that issued the Intermediate CA.

18. What is the minimum required PAN-OS version for managed devices to support custom certificate authentication with Panorama?

PAN-OS 7.1 PAN-OS 9.0 PAN-OS 8.0 PAN-OS 10.0

19. Which Palo Alto Networks appliance, when managed by Panorama, currently prevents enabling the "Allow Custom Certificate Only" setting due to lack of support?

WildFire Appliance (WF-500) M-Series Log Collector PA-7000 Series Firewall VM-Series Firewall

20. Where do you configure the specific client certificate or SCEP profile that a firewall uses to authenticate itself *to* Panorama?

Device > Certificate Management > Certificate Profile Device > Setup > Management > Panorama Settings Device > Certificate Management > SSL/TLS Service Profile Panorama > Setup > Management > Secure Communications Settings