This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Device Certificate - Where to find OTP?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Device Certificate - Where to find OTP?

Go to solution
fhewiufhwefhwe
L4 Transporter

‎05-17-2020 07:26 AM

Under Device -> Setup -> Management -> Device Certificate, I am unable to fetch the device certificate.

 

A message box says get your one-time-password from the Customer Support Portal and enter it below.  I tried my 2-factor OTP that I use to login to the support portal, but that doesn't work.  How do I generate the OTP to get the device certificate?

 

I get the error: Failed to fetch device certificate.OTP is not valid

13 people had this problem.
0 Likes Likes
23 REPLIES 23

Go to solution
MinoriTelang
L0 Member

‎09-03-2020 12:53 AM

I recently installed the device certificate and it is valid only for 3 months. Do I have to install it in every 3 months?

Go to solution
fhewiufhwefhwe
L4 Transporter
In response to MinoriTelang

‎09-04-2020 09:35 AM

Mine last renewed at 4:52am, so I think it is automatic.

Go to solution
Klaverblad
L2 Linker
In response to dgnewell

‎09-23-2020 11:41 PM

I still don't completely understand this.

 

We upgraded to 9.1.4 and now we're required to allow telemetry data to PA?

Or accept a constant high alert in the system logs: no valid device certificate found.

Why not allow customers to opt-in to this kind of functionality or at least explain this in a popup screen like a reminder:

"you need to configure this post-upgrade, etc. or opt-out see: "explanation here  and here"

0 Likes Likes

Go to solution
dgnewell
L3 Networker
In response to Klaverblad

‎09-24-2020 12:38 AM - edited ‎09-24-2020 12:41 AM

You are not required to allow telemetry.

 

You can turn it all off on the Device > Setup > Telemetry page. 

 

Telemetry does provide some significant security benefits to individual organizations, and collectively back to the community as a whole.

 

One use case: In the escalating arms race of automation on the attacker side of the equation and as we, in turn, continue to work on the practical applications of automation and AI, your telemetry data can, for example, enable us, the vendor, to initiate immediate, focused, and direct outreach in the event of corner-case configurations that are discovered to be uniquely vulnerable and/or actively in the spotlight of bad actors. Without individual and community-wide participation, certain kinds of detections, assessments, and mitigations, of course, become impossible to make. Hand in hand, the ability to process, store, and apply intelligence to such telemetry data requires data-lake-scale solutions, but not at the expense of assurances of the integrity of the connections to that resource and the integrity and context of the data itself. Thus, the additional requirement for connecting to the data-lake service with the added certificate. 

 

I hope this makes some sense. 

Go to solution
Klaverblad
L2 Linker
In response to dgnewell

‎09-25-2020 12:00 AM

I understand I am not required to allow telemetry. That is not my concern in this.

After the upgrade to 9.1.2+ a high/red alert is repeatedly shown in the system logs that telemetry is simply not configured and cannot be used until, according to the procedure, the certificates are in place.

If anyone is not required to allow telemetry why didn't they choose to:

- Make enabling telemetry participation an opt-in feature, or

- Add a more intuitive notification AND alert (informational): "Telemetry is not configured. Please see manual how to enable it."

 

Just adding a high alert to the system logs, because a new feature is not configured is unnecessary and created some confusion.

Missing/faulty/expired certificates is typically a bad thing and often does need immediate attention. In this case it does not.

(1)

Go to solution
CyberEye
L3 Networker

‎03-14-2021 01:15 AM

Do we need to renew the certificate every 3 months ??

 

Go to solution
KoShy
L1 Bithead
In response to CyberEye

‎03-18-2021 02:31 AM

I would also like to know that. We have devices with expired certificates which do not auto-renew. We get error: Failed to renew device certificate. Failed to send request to CSP server. Error: No OCSP response received(dest => 35.238.43.180).

0 Likes Likes

Go to solution
Aimee
L1 Bithead

‎11-09-2023 07:46 PM

Did the OTP page move? I am not seeing a one time password area under assets.

0 Likes Likes

Go to solution
btausend
L0 Member

‎11-16-2023 11:15 AM

Take a look under Products -> Device Certificates

0 Likes Likes
  • 47561 Views
  • 23 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks