How to Renew or Replace an Expired Certificate

104528

Created On 08/09/22 20:08 PM - Last Modified 08/23/23 18:50 PM

Admin Access

Certificate Profile

Clientless VPN

GlobalProtect Gateway

GlobalProtect Portal

Log Forwarding

Site-to-Site VPN

SSL Forward Proxy

SSL Inbound Inspection

SSL VPN

User-ID agent

Administration

CSR

Certificate Management

Decryption

Reporting and Logging

Device Telemetry

9.0

9.1

10.0

10.2

10.1

GlobalProtect

Cortex Data Lake

PAN-OS

Panorama

Security Operations

Strata Cloud Manager

Objective

Renewing or replacing an expired certificate.

Environment

PAN-OS
Certificates/PKI

Procedure

Renew or replace the certificate based on its type:
1. If the expired certificate is under Device > Certificates then:

If the certificate is signed by the firewall acting as a CA, then use:

How to Renew a Locally Generated Certificate

If the certificate is signed by an external/third-party CA, then use:

How to Generate a CSR (Certificate Signing Request) & Import the Signed Certificate

If the certificate is a CA Certificate, then use:

How to Import a CA Certificate on the Firewall

Tip: to view these certificates, use the CLI command below:

> request certificate show

If the expired certificate is the Device Certificate, navigate to Device > Setup > Management > Device Certificate and perform the below steps:

How to Install a Device Certificate
CLI Command:

> show device-certificate status

Note: The Device Certificate is used to securely connect to and leverage Palo Alto Networks cloud services for features such as Device Telemetry, IoT Security , and Strata Cloud Manager (AIOps for NGFW) if you choose to use them (more details here)

If the expired certificate is the Logging Service Certificate, navigate to Device > Setup > Management > Logging Service (Cortex Data Lake) and perform the below steps:

How to Renew Expired Certificate for Logging Service (Cortex Data Lake)
CLI Command:

> request logging-service-forwarding status

Additional Information

Additional Information:
Renew a Certificate
Obtain a Certificate from an External CA

Install a Device Certificate
How to Install a Device Certificate
Impact and Meaning of System Logs showing "No Valid Device Certificate Found"

Start Sending Logs to Cortex Data Lake
Verifying Cortex Data Lake Connectivity On A Palo Alto Firewall
Troubleshooting Firewall Connectivity Issues With Logging Service
How To Troubleshoot Connection Failure To Cortex Data Lake (CDL)

Tip: One way to find out which certificate(s) are currently in use (and by which configured software features) is by searching the Global Find (top-right search box in PAN-OS Web UI) using the name of certificate. The result of the search will list either the SSL/TLS Service Profile or the Certificate Profile where this certificate is used. You can then use the name of those to continue your search. For certificates used for decryption you will see under Device > Certificates > Device certificates that the usage is showing Forward Trust Certificate/ Forward Untrust Certificate.

How to Renew or Replace an Expired Certificate

Objective

Environment

Procedure

Additional Information

Other users also viewed: