topic Re: Renew of Self Signed SSL Forward Trust Certificate without Root CA in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/renew-of-self-signed-ssl-forward-trust-certificate-without-root/m-p/1236021#M6199 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/428271453">@f.kuecuek</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings!</P> <P>&nbsp;</P> <P>&nbsp;Yes, you will need to re-import new certificate on the clients with updated expiry date.</P> <P>&nbsp;</P> Thu, 14 Aug 2025 16:56:17 GMT mshekh 2025-08-14T16:56:17Z Renew of Self Signed SSL Forward Trust Certificate without Root CA https://live.paloaltonetworks.com/t5/next-generation-firewall/renew-of-self-signed-ssl-forward-trust-certificate-without-root/m-p/1235937#M6193 <P>Hello,<BR /><BR />I have a self-signed (self-generated) certificate without a Root CA on a firewall, which is used for SSL Forward Proxy to decrypt traffic.<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fkuecuek_1-1755079916908.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68849iD5E5B191FE40C9C9/image-size/medium?v=v2&amp;px=400" role="button" title="fkuecuek_1-1755079916908.png" alt="fkuecuek_1-1755079916908.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P data-start="254" data-end="355">The certificate is valid for 10 day and has been imported on client machines as a trusted root CA.<BR /><BR />The question is that : If I renew this certificate on the firewall, will I need to re-import it on the clients, or can they continue to use the old/expired trusted CA?<BR /><BR /></P> <P data-start="357" data-end="628">In lab tests, the key pair on the firewall did not change after renewal, and clients still trusted the old certificate.<BR /><BR /></P> <P data-start="630" data-end="716">Has anyone encountered a similar scenario or can confirm this behavior?<BR /><BR data-start="701" data-end="704" />Thank you.</P> Wed, 13 Aug 2025 10:13:25 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/renew-of-self-signed-ssl-forward-trust-certificate-without-root/m-p/1235937#M6193 f.kuecuek 2025-08-13T10:13:25Z Re: Renew of Self Signed SSL Forward Trust Certificate without Root CA https://live.paloaltonetworks.com/t5/next-generation-firewall/renew-of-self-signed-ssl-forward-trust-certificate-without-root/m-p/1236021#M6199 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/428271453">@f.kuecuek</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings!</P> <P>&nbsp;</P> <P>&nbsp;Yes, you will need to re-import new certificate on the clients with updated expiry date.</P> <P>&nbsp;</P> Thu, 14 Aug 2025 16:56:17 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/renew-of-self-signed-ssl-forward-trust-certificate-without-root/m-p/1236021#M6199 mshekh 2025-08-14T16:56:17Z