- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-17-2026 07:35 AM
With the pending move of publicly issued certificates to a shorter time frame, is there anyway to ease the amount of effort to get the new certificates installed on the firewalls since it will now need to be done multiple times a year? Working on a few that will using SAML for authentication and be managed by Panorama so trying to see the best approach.
I've found some forum posts elsewhere with some steps but wasn't sure what the best approach would be.
07-17-2026 10:30 AM
Hi @DJ_1924 ,
I have a friend that uses this method with Let's Encrypt and it works like a charm. https://www.linkedin.com/pulse/can-we-configure-palo-alto-firewalls-automatically-obtain-joe-brunner...
As you can see, the author uses ACME to fetch the certificate from GoDaddy. Many CAs support ACME now. So, there is a good chance it will work with your CA.
You can ignore Step 6: Apply the Cert on the Firewall. The script uses the same name and overwrites the same cert.
Panorama is also included in the script! Here are the variables: https://github.com/acmesh-official/acme.sh/blob/master/deploy/panos.sh I am going to test the script with Panorama this year.
The best solution would be for Palo Alto to include a built-in ACMEv2 client into the NGFW. Everyone who wants this feature should contact their SE and request it. More requests = greater chance of implementation.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

