Elaboration on the differences between the PAN-OS root certificate, the device certificate, and the certificate under cert management?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Elaboration on the differences between the PAN-OS root certificate, the device certificate, and the certificate under cert management?

L0 Member

I've been requested to get as much information as I can on this topic, and I've found a good one on Reddit.

A piece of info that i found on redditA piece of info that i found on reddit

 

It's great, but somehow I still need much more elaboration on this.

 

Could anyone provide me a document that elaborates on the differences between the PAN-OS root certificate, the device certificate, and the certificate under cert management?


I've contacted TAC support, but they seem to be a bit unresponsive.


Thank you

1 REPLY 1

L4 Transporter

Hello @MFEC - there are lots of different certificates in use within PAN-OS, and I'm not aware of a singular document describing them all and what they are all there to do.  Generally speaking though:

- Root certificates are generally installed on the devices in order to provide a chain of trust for the client - in this case, the NGFW or Panorama or similar - to a server.  These servers will typically in our case be cloud-delivered security services (WildFire, Advanced WildFire, URL Filtering, and similar), or used for authenticating the server to the client for things like content updates, firmware updates, and the like.  They're, in many cases, not visible directly - you can see them in a packet capture, but in many cases there is no accessible CLI or GUI option to look at them.  In many cases they're very long lived. 

- Default certificates are something we're generally trying to move away from, and our best practice advice is to install custom or device certificates where you can.  These are typically used to authenticate the device (NGFW, Panorama, etc) against some other service, be it CDSS or similar.  Again, these tend to be long lived, and tend not to be that visible in the CLI or GUI. 

- Device certificates are used to provide a stronger chain of trust than a default certificate: they're generally short lived (90 days, with refresh occurring between 75 and 90 days), and automatically installed and replaced once the initial certificate has been generated.  These provide mutual authentication of the client against the server (ie, NGFW to a cloud-delivered security service or similar). In some cases and in newer code releases there are commands to see these certificates and their remaining lifetime.

- Custom certificates can be used for mutual, internal authentication - for example, Panorama to NGFW and vice-versa.  These can generally be tied to an organisational CA, and allow customers to comply with their own authentication and encryption policies without so much dependence on Palo Alto Networks' services.  The scope and use of these was expanded significantly with and beyond 10.0, to include various forms of content redistribution (that is, things like User-ID redistribution between firewalls or between firewalls and Panorama).  These are visible in and manageable from the GUI and CLI.

- Certificates under certificate management can form part of an SSL inspection regime, and again can be tied to an enterprise or organisational CA.  They can also be used for things like device/user authentication.  Again, visible in and manageable from the GUI and CLI.

 

I hope this helps?

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks
  • 385 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!