How to renew the expired Device Certificate
107907
Created On 09/05/22 01:36 AM - Last Modified 02/19/26 07:08 AM
Objective
Device Certificate Status display "Expired" under "show device-certificate status". How to renew the same?
> show device-certificate status
Device Certificate information:
Current device certificate status: Expired
Not valid before: 2022/04/01 00:00:00 PDT
Not valid after: 2022/06/30 00:00:00 PDT
Last fetched timestamp: 2022/06/30 05:00:00 PDT
Last fetched status: failure
Last fetched info: Failed to renew device certificate.
Failed to send request to CSP server.
Error: *****Environment
- Palo Alto Firewalls.
- PAN-OS 9.1.2 and later releases.
- Device Certificate.
Procedure
- Device Certificate is valid for 90 days since generating.
- The Firewall device will check nightly and automatically renew its certificate 15 days prior to the expiration of the existing certificate.
- If the automatic renewal is failed and the device certificate expires, the customer needs to go through the certificate onboarding process again as described in Administrator's Guide.
Additional Information
Now the detailed procedure to restore the expired Device Certificate is introduced in NGFW Administration document.
The expired device certificate may be renewed automatically in the first boot during upgrading process, if the device has outbound internet access and FQDNs and ports must be allowed on your network to reach to the Customer Support Portal.