06-17-2024 08:23 PM
Hi Team,
I have received an alert "SSL Certificates-HTTPS HTTPS DaysRemaining" for Palo Alto. When I log in to the firewall in the browser, I can see browser shows as Not Secure and when I check the certificate, it shows it will expire in July 14.
In the below screenshot, the part which I hide consist the serial number of the device.
Can some one please help me to understand which certificate is this? How will it get renewed?
09-01-2024 08:31 PM
Hello @M.Sharma415844
You are seeing the default certificate for management interface.
Replace it with a custom cert by following below document:
09-20-2024 08:25 PM
It's documented in the article that @akuzhuppilly linked to directly and is described in the very first sentence of the article. You're using the certificate that the firewall generated itself when you powered it on the first time after it was purchased or after the last time it was factory reset.
09-01-2024 08:31 PM
Hello @M.Sharma415844
You are seeing the default certificate for management interface.
Replace it with a custom cert by following below document:
09-20-2024 08:17 PM
Thank you for your response. I understand the process of creating and attaching custom certificates to the management interface.
However, I am specifically looking for more detailed information about the “default certificate for the management interface.” Do you have any additional details regarding this certificate?
Thanks in advance.
09-20-2024 08:25 PM
It's documented in the article that @akuzhuppilly linked to directly and is described in the very first sentence of the article. You're using the certificate that the firewall generated itself when you powered it on the first time after it was purchased or after the last time it was factory reset.
09-20-2024 08:29 PM
Thank you for your quick reply.
I overlooked that detail. I appreciate you bringing it to my attention.
09-20-2024 08:34 PM
One last question with respect to this topic, so this certificate gets renewed automatically?
09-20-2024 09:06 PM
No, it's not renewed automatically. Generally best practice is that you would generate a certificate for the management interface through your organizations PKI system. Some people will generate a self-signed certificate and import it into the trust store of the machines that will be used to monitor the firewall if they don't have an internal PKI in place.
Like anything else you want to have some sort of unexpired certificate installed on the management interface, whether that's issued by your organization's PKI or self-signed on the firewall and imported into the machines that will be monitoring the system. You don't want to train your firewall administrators to just bypass the certificate warning without validating the certificate as you're essentially training poor behavior. If someone is used to just bypassing a certificate warning it makes it easier to intercept their traffic and proxy the connection as they've already been trained to just bypass the certificate warning that such an attack would present.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
