- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-11-2025 02:19 AM
Hello,
I am working with an IPsec VPN setup on my Palo Alto Networks firewall and am currently using certificate-based authentication. My organization utilizes an internal Certificate Authority (CA) that supports ACME (Automatic Certificate Management Environment) for certificate enrollment. However, I haven't been able to find any resources or forums indicating whether Pan-OS supports ACME for automated certificate management.
Is there a way to configure Pan-OS to integrate with an ACME server for certificate enrollment? Any guidance or documentation would be greatly appreciated!
Thank you!
01-15-2025 08:06 PM
Hi @melissa59zebrowski ,
PAN-OS does not natively support ACME. You will have to leverage SCEP for auto cert enrollment.
07-02-2025 10:45 PM
This really needs to change. ACME is a standard protocol and automation is going to become critical as certificate length gradually decreases down to 47 days maximum in 2029. This is a security feature, I would like to think Palo Alto would be ahead of the curve on this one, not playing catch up...
Certificate expiry will be down to 6 months as of March next year 2026.
Please, help us.
01-14-2026 01:03 AM
Hello, is there any update of the ACME client native integration to PAN-OS? Should we expect that feature in the upcoming releases?
07-10-2026 07:33 AM
Yes, with certificates slowly need to be under 182 days, and eventually 47 days (see timeline here: https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days ), this has to be a priority. I think Palo Alto might think they're covered since they have some automation around a few certificate processes, but they are severely lagging behind for the web administration GUI certificate. Thankfully, they already have 90% of it made, the separate elements just need to be tied together.
There's even multiple different approaches Palo Alto can take here:
- the easier approach is simply to have SCEP be able to trigger a run when cert is under a certain number of days, then auto-import, then auto-apply to the same TLS profile and commit. These processes already exist either in the SCEP code or the REST or XML API commands. They just need to test out the auto-running of it all in one tiny script they could add to the OS.
- or they can embrace ACME by creating some software that could contact an ACME server or just making ACME software for the OS itself (although Admins would want this, I'm guessing this is less likely)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

