Scribd
Upload
181 views3 pages

Change A Root or Intermediate CA Certificate

The document provides a step-by-step guide for replacing a root or intermediate CA certificate in Panorama. It outlines the necessary configurations and actions required to deploy the new certificate and enforce custom-certificate authentication across managed devices. The guide emphasizes the importance of committing changes to ensure proper authentication between Panorama and the devices.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
181 views3 pages

Change A Root or Intermediate CA Certificate

The document provides a step-by-step guide for replacing a root or intermediate CA certificate in Panorama. It outlines the necessary configurations and actions required to deploy the new certificate and enforce custom-certificate authentication across managed devices. The guide emphasizes the importance of committing changes to ensure proper authentication between Panorama and the devices.

Uploaded by

bibist
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

(/content/techdocs/en_US.

html)

Updated on Mar 13, 2025

Home (/) | Panorama (/content/techdocs/en_US/panorama.html)


| Panorama Administrator's Guide (/content/techdocs/en_US/panorama/10-1/panorama-admin.html)
| Set Up Panorama (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama.html)
| Set Up Authentication Using Custom Certificates (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-
authentication-using-custom-certificates.html)
| Change Certificates (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-authentication-using-custom-
certificates/change-certificates.html)
| Change a Root or Intermediate CA Certificate (/content/techdocs/en_US/panorama/10-1/panorama-admin/set-up-panorama/set-up-
authentication-using-custom-certificates/change-certificates/change-a-root-or-intermediate-ca-certificate.html)

DOWNLOAD PDF (/CONTENT/DAM/TECHDOCS/EN_US/PDF/PANORAMA/10-1/PANORAMA-ADMIN/PANORAMA-


ADMIN.PDF)

Panorama Administrator's Guide


(/content/techdocs/en_US/panorama/10-
1/panorama-admin.html)
Change a Root or Intermediate CA Certificate

Table of Contents

Complete the following task to replace a root or intermediate CA certificate.

STEP 1 -
Configure the server to accept predefined certificates from clients.

A Select Panorama > Setup > Management and Edit the Panorama Settings.

B Uncheck Custom Certificate Only.

C Select None from the Certificate Profile drop-down.

D Click OK.

E Commit your changes.

STEP 2 -
Deploy the new root or intermediate CA certificate.
You can deploy certificates (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-
management/certificate-deployment) on Panorama or a server Log Collector by generating a self-signed
certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.

STEP 3 -
Update the CA certificate in the server certificate profile.

A Select Panorama > Certificate Management > Certificate Profile and select the certificate profile to update.

B Delete the old CA certificate.

C Add the new CA Certificate.

D Click OK.

STEP 4 -
Generate or import the new client certificate.

A Select Device > Certificate Management > Certificates.

B Create a self-signed root CA certificate (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-


admin/certificate-management/obtain-certificates/create-a-self-signed-root-ca-certificate) or import a
certificate (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-

management/obtain-certificates/import-a-certificate-and-private-key) from your enterprise CA.

STEP 5 -
Update the CA certificate in the client certificate profile.

A Select Device > Setup > Management and click the Edit icon in Panorama Settings for a firewall or Select
Panorama > Managed Collectors > Add > Communication for a Log Collector and select the certificate
profile to update.

B Delete the old CA certificate.

C Add the new CA Certificate.

D Click OK.

STEP 6 -
After updating the CA certificates on all managed devices, enforce custom-certificate authentication.

A Select Panorama > Setup > Management and Edit the Panorama Settings.
B Select Custom Certificate Only.

C Click OK.

D Commit your changes.

After committing this change, all devices managed by Panorama must use custom certificates. If not,
authentication between Panorama and the device fails.

Was this information helpful?

Yes No

(/content/techdocs/en_US/panorama/10-
Previous
1/panorama-admin/set-up-panorama/set-up- Next
Change a (/content/techdocs/en_US/panorama/10-
authentication-using-custom- Manage
Client 1/panorama-admin/manage-firewalls.html)
certificates/change-certificates/change-a- Firewalls
Certificate
client-certificate.html)

Technical Documentation Co

Release Notes (/content/techdocs/en_US/release-notes.html) Abo


Search (/content/techdocs/en_US/search.html) Care
Blog (https://www.paloaltonetworks.com/blog/category/technical- Cus
documentation/) LIVE
Compatibility Matrix (/content/techdocs/en_US/compatibility- Kno
matrix.html)
OSS Listings (/content/techdocs/en_US/oss-listings.html)
Sitemap (/content/techdocs/en_US/sitemap.html)

(https://www.facebook.com/PaloAltoNetworks) (https://w
(https://www.youtube.com/channel/UCPRouchFt58TZnjoI65aelA)

(/content/techdocs/en_US.html) © 2025 Palo Alto Ne

You might also like