How can I ensure the trusted root CA store is up to date on PANOS, what can happen if I don't?
6664
Created On 03/01/25 01:25 AM - Last Modified 03/05/25 23:36 PM
Environment
PAN-OS 11.1
Answer
- The list of trusted root CAs is updated with each major PAN-OS release
- If you remain on an older PANOS for an extended period of time, you will not have the latest-and-greatest trusted list of root CA's
- Features that perform cert validation on the FW, such as server profiles, EDL, global-protect, decryption, to name a few, may rely on those publicly trusted CA's if you don't otherwise import certificates manually (as would be the case for a private CA for example).
- If a feature is in use for a service that is using server certificates signed by a root CA that is NOT in the PANOS certificate store, then the certificate validation will fail and impact that particular service. This may mean that FW connections fail to servers in server profiles, EDL cannot be updated for security policies, VPN users could not connect, decrypted sessions fail, or so on.
- If you prefer to stay on older PAN-OS versions longer but still wish to periodically update the root CA's that the firewall trusts, then depending on your organization's requirements and sources of public root CA information you may manually manage/import them at Device > Certificate Management > Certificates (or related CLI/API calls). There are also 3rd party or community options such as https://github.com/PaloAltoNetworks/pan-chainguard which can source the same trusted CA list used by major OS and browser vendors.
Additional Information
The "Default Trusted Certificate Authorities" list or "root CA store" is explained here:
Next-Generation Firewall Docs - Default Trusted Certificate Authorities (CAs)
Refer to certificate best practices for specific features such as: