topic Re: SSL Certificates expiration notification in Next-Generation Firewall Discussions

SSL Certificates expiration notification

M.Sharma415844 — Tue, 18 Jun 2024 03:23:55 GMT

Hi Team,

I have received an alert "SSL Certificates-HTTPS HTTPS DaysRemaining" for Palo Alto. When I log in to the firewall in the browser, I can see browser shows as Not Secure and when I check the certificate, it shows it will expire in July 14.

In the below screenshot, the part which I hide consist the serial number of the device.

Can some one please help me to understand which certificate is this? How will it get renewed?

Re: SSL Certificates expiration notification

akuzhuppilly — Mon, 02 Sep 2024 03:31:50 GMT

Hello @M.Sharma415844

You are seeing the default certificate for management interface.

Replace it with a custom cert by following below document:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/replace-the-certificate-for-inbound-management-traffic

Re: SSL Certificates expiration notification

M.Sharma415844 — Sat, 21 Sep 2024 03:17:36 GMT

@akuzhuppilly

Thank you for your response. I understand the process of creating and attaching custom certificates to the management interface.

However, I am specifically looking for more detailed information about the “default certificate for the management interface.” Do you have any additional details regarding this certificate?

Thanks in advance.

Re: SSL Certificates expiration notification

BPry — Sat, 21 Sep 2024 03:25:07 GMT

@M.Sharma415844,

It's documented in the article that @akuzhuppilly linked to directly and is described in the very first sentence of the article. You're using the certificate that the firewall generated itself when you powered it on the first time after it was purchased or after the last time it was factory reset.

Re: SSL Certificates expiration notification

M.Sharma415844 — Sat, 21 Sep 2024 03:29:45 GMT

@BPry

Thank you for your quick reply.

I overlooked that detail. I appreciate you bringing it to my attention.

Re: SSL Certificates expiration notification

M.Sharma415844 — Sat, 21 Sep 2024 03:34:27 GMT

@BPry & @akuzhuppilly

One last question with respect to this topic, so this certificate gets renewed automatically?

Re: SSL Certificates expiration notification

BPry — Sat, 21 Sep 2024 04:06:41 GMT

@M.Sharma415844,

No, it's not renewed automatically. Generally best practice is that you would generate a certificate for the management interface through your organizations PKI system. Some people will generate a self-signed certificate and import it into the trust store of the machines that will be used to monitor the firewall if they don't have an internal PKI in place.

Like anything else you want to have some sort of unexpired certificate installed on the management interface, whether that's issued by your organization's PKI or self-signed on the firewall and imported into the machines that will be monitoring the system. You don't want to train your firewall administrators to just bypass the certificate warning without validating the certificate as you're essentially training poor behavior. If someone is used to just bypassing a certificate warning it makes it easier to intercept their traffic and proxy the connection as they've already been trained to just bypass the certificate warning that such an attack would present.