How to Renew or Replace an Expired Certificate
Objective
Renewing or replacing an expired certificate.
Environment
- PAN-OS
- Certificates/PKI
Procedure
- Renew or replace the certificate based on its type:
- If the expired certificate is under Device > Certificates then:
- If the certificate is signed by the firewall acting as a CA, then use:
- If the certificate is signed by an external/third-party CA, then use:
- If the certificate is a CA Certificate, then use:
> request certificate show
- If the expired certificate is the Device Certificate, navigate to Device > Setup > Management > Device Certificate and perform the below steps:
CLI Command:
> show device-certificate status
- If the expired certificate is the Logging Service Certificate, navigate to Device > Setup > Management > Logging Service (Cortex Data Lake) and perform the below steps:
> request logging-service-forwarding status
Additional Information
Additional Information:
Renew a Certificate
Obtain a Certificate from an External CA
Install a Device Certificate
How to Install a Device Certificate
Impact and Meaning of System Logs showing "No Valid Device Certificate Found"
Start Sending Logs to Cortex Data Lake
Verifying Cortex Data Lake Connectivity On A Palo Alto Firewall
Troubleshooting Firewall Connectivity Issues With Logging Service
How To Troubleshoot Connection Failure To Cortex Data Lake (CDL)
Tip: One way to find out which certificate(s) are currently in use (and by which configured software features) is by searching the Global Find (top-right search box in PAN-OS Web UI) using the name of certificate. The result of the search will list either the SSL/TLS Service Profile or the Certificate Profile where this certificate is used. You can then use the name of those to continue your search. For certificates used for decryption you will see under Device > Certificates > Device certificates that the usage is showing Forward Trust Certificate/ Forward Untrust Certificate.