topic Re: Decryption policies and Short-Lived Certificates in Next-Generation Firewall Discussions

Decryption policies and Short-Lived Certificates

itassetbenilde — Tue, 07 Apr 2026 04:34:16 GMT

Hi All,

So basically, certificate validity will be shortened gradually until it is down to 47 days. The prospect of importing and reconfiguring our decryption policies that often is not very appealing.

The problem i see is that, while we can automate certificate renewal on the servers, and the actual import process using CLI/API, there's still a crucial handover of private keys and certificates from servers to NGFW needed before we can import anything to the NGFW.

Our certificate provider does have APIs to retrieve certificates, but then we'd still need to coordinate which specific certificate to import for which server/decryption policy rule.

Is there an "official" solution/workaround from PA? Thanks

Re: Decryption policies and Short-Lived Certificates

abayoumi21 — Tue, 07 Apr 2026 09:13:35 GMT

One practical approach is to automate the certificate lifecycle using Let’s Encrypt with Certbot, combined with Ansible to handle the import and update process on the firewall.

Explanation

You are correct that certificate lifetimes are being reduced (towards ~47 days) as part of industry efforts to improve security and reduce the risk of certificate compromise.

In this context, Let's Encrypt has become widely adopted due to its support for automated certificate issuance and renewal using the ACME protocol.

Proposed Solution

A practical and scalable approach is to combine:

• Certbot (ACME client) – to automate certificate issuance and renewal
• Ansible – to automate the import and update process on the firewall

Workflow:

Let’s Encrypt
     │
Certbot (auto-renewal)
     │
Post-renew hook
     │
Ansible Playbook
     │
PAN-OS API
     │
Firewall (certificate replaced)

How It Works

Certbot automatically renews certificates from Let’s Encrypt.
After renewal, a post-renew hook is triggered.
The hook executes an Ansible playbook.
Ansible uploads the new certificate and private key to the firewall via API.
The certificate is replaced using the same name, so no changes are required in decryption policies.

Key Benefits

• Fully automated certificate lifecycle
• No manual re-import every renewal cycle
• Scalable and suitable for short-lived certificates
• Reduces operational overhead significantly

Summary

Using Let’s Encrypt with Certbot for automated renewal, combined with Ansible to push certificates to the firewall via API, is an effective workaround to handle short-lived certificates and reduce manual operational effort.

Re: Decryption policies and Short-Lived Certificates

TomYoung — Tue, 07 Apr 2026 19:53:44 GMT

Hi @itassetbenilde ,

Are the browsers going to start enforcing the 47-day rule, also? I haven't heard that, but I could have missed it. If it is just the public CAs, it doesn't affect decryption certificates.

More and more CAs support ACME. There are numerous scripts that simplify the process:

Certbot or acme.sh

PAN-OS API

https://www.linkedin.com/pulse/can-we-configure-palo-alto-firewalls-automatically-obtain-joe-brunner-qrxoe/

https://medium.com/palo-alto-networks-developer-blog/costless-automated-trusted-certificates-on-palo-alto-networks-firewalls-5b2930b2893f

https://github.com/coopertownsend/pan-certbot

As @abayoumi21 mentioned, using the same name should simplify the process. If that doesn't work, changing the certificate in the SSL/TLS Service Profile is the next easiest.

I would imagine that many CAs will allow you to renew the cert with the same private key, which would be easier.

Thanks,

Tom

Update: This is a good discussion -> https://www.reddit.com/r/paloaltonetworks/comments/1ksg6bp/automating_certificate_renewals/.