How to renew an internal certificate used for communication between Panorama and managed firewalls

How to renew an internal certificate used for communication between Panorama and managed firewalls

2437
Created On 06/10/20 12:32 PM - Last Modified 09/10/25 02:46 AM


Objective


  • When any Panorama or firewall has an expired server/client certificate, then the communication between Panorama and firewall will stop, and the device will show as disconnected on Panorama.
  • This article is designed to provide an alternative way of renewing the certificates used in the communication between Panorama and firewall, which does not require access to the root shell.

Environment


  • Panorama with Managed Firewalls
  • Supported PAN-OS
  • Expired Certificates

Procedure


  • Before starting the procedure ensure you have physical access to the device.
  • This is because access to the device will be lost after Step 3.
  • If the IP configured in step 3 is not reachable, Physical access to the device will be required to restore the IP address back to its original value.

 

  1. Confirm that the certificate on either Panorama or firewall has expired.
admin@Panorama-8.1.14> show panorama-certificates 
-rw-r--r-- 1 root root 3.2K May 31  2009 server.pem

admin@FW-8.1.14-Active(active)> show panorama-certificates 
-rw-r--r-- 1 root root 3.2K Nov 22  2019 client.pem

In this situation we can see that the server certificate on Panorama was generated in 2009
  1. Ensure that the Date/Time of the device is correct.
  2. Change the management IP address of the device with the expired certificate and commit, then change it back and commit again.
  3. A reboot of the device may be required to finalize the process.
  4. Verify that a new certificate has been generated with the same commands as in step 1.

Additional Information


  • The certificate contains the device's IP address in the Common Name (CN) field, which causes a new certificate to be generated with the new IP address in the CN field every time the IP address changes.
  • The certificate in this example shows that it was generated in 2009, but it was actually generated in 2019. 
  • The certificate takes the configured Date/Time of the device as the starting validity date and is valid for 10 years,
  • Due to a misconfiguration of the Date/Time (2009 instead of 2019) the certificate was generated with incorrect validity time ranges.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UNjCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language