04-06-2026 09:34 PM
Hi All,
So basically, certificate validity will be shortened gradually until it is down to 47 days. The prospect of importing and reconfiguring our decryption policies that often is not very appealing.
The problem i see is that, while we can automate certificate renewal on the servers, and the actual import process using CLI/API, there's still a crucial handover of private keys and certificates from servers to NGFW needed before we can import anything to the NGFW.
Our certificate provider does have APIs to retrieve certificates, but then we'd still need to coordinate which specific certificate to import for which server/decryption policy rule.
Is there an "official" solution/workaround from PA? Thanks
04-07-2026 02:13 AM
One practical approach is to automate the certificate lifecycle using Let’s Encrypt with Certbot, combined with Ansible to handle the import and update process on the firewall.
Explanation
You are correct that certificate lifetimes are being reduced (towards ~47 days) as part of industry efforts to improve security and reduce the risk of certificate compromise.
In this context, Let's Encrypt has become widely adopted due to its support for automated certificate issuance and renewal using the ACME protocol.
Proposed Solution
A practical and scalable approach is to combine:
• Certbot (ACME client) – to automate certificate issuance and renewal
• Ansible – to automate the import and update process on the firewall
Workflow:
Let’s Encrypt
│
Certbot (auto-renewal)
│
Post-renew hook
│
Ansible Playbook
│
PAN-OS API
│
Firewall (certificate replaced)How It Works
Key Benefits
• Fully automated certificate lifecycle
• No manual re-import every renewal cycle
• Scalable and suitable for short-lived certificates
• Reduces operational overhead significantly
Using Let’s Encrypt with Certbot for automated renewal, combined with Ansible to push certificates to the firewall via API, is an effective workaround to handle short-lived certificates and reduce manual operational effort.
04-07-2026 12:40 PM - edited 04-07-2026 12:53 PM
Hi @itassetbenilde ,
Are the browsers going to start enforcing the 47-day rule, also? I haven't heard that, but I could have missed it. If it is just the public CAs, it doesn't affect decryption certificates.
More and more CAs support ACME. There are numerous scripts that simplify the process:
CA
|
Certbot or acme.sh
|
PAN-OS API
https://github.com/coopertownsend/pan-certbot
As @abayoumi21 mentioned, using the same name should simplify the process. If that doesn't work, changing the certificate in the SSL/TLS Service Profile is the next easiest.
I would imagine that many CAs will allow you to renew the cert with the same private key, which would be easier.
Thanks,
Tom
Update: This is a good discussion -> https://www.reddit.com/r/paloaltonetworks/comments/1ksg6bp/automating_certificate_renewals/.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
