SSL Certificates expiration notification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Certificates expiration notification

L2 Linker

Hi Team,

 

I have received an alert "SSL Certificates-HTTPS HTTPS DaysRemaining" for Palo Alto. When I log in to the firewall in the browser, I can see browser shows as Not Secure and when I check the certificate, it shows it will expire in July 14.

 

In the below screenshot, the part which I hide consist the serial number of the device.

 

Can some one please help me to understand which certificate is this? How will it get renewed?

 

MSharma415844_1-1718680977001.png

 

2 accepted solutions

Accepted Solutions

L4 Transporter

Hello @M.Sharma415844 

You are seeing the default certificate for management interface.

Replace it with a custom cert by following below document:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/replace-the-certif...

 

Anoopkumar
Network Security Engineer

View solution in original post

Cyber Elite
Cyber Elite

@M.Sharma415844,

It's documented in the article that @akuzhuppilly linked to directly and is described in the very first sentence of the article. You're using the certificate that the firewall generated itself when you powered it on the first time after it was purchased or after the last time it was factory reset.

View solution in original post

6 REPLIES 6

L4 Transporter

Hello @M.Sharma415844 

You are seeing the default certificate for management interface.

Replace it with a custom cert by following below document:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certificate-management/replace-the-certif...

 

Anoopkumar
Network Security Engineer

@akuzhuppilly 

 

Thank you for your response. I understand the process of creating and attaching custom certificates to the management interface.

 

However, I am specifically looking for more detailed information about the “default certificate for the management interface.” Do you have any additional details regarding this certificate?

 

Thanks in advance.

Cyber Elite
Cyber Elite

@M.Sharma415844,

It's documented in the article that @akuzhuppilly linked to directly and is described in the very first sentence of the article. You're using the certificate that the firewall generated itself when you powered it on the first time after it was purchased or after the last time it was factory reset.

@BPry 

 

Thank you for your quick reply.

 

I overlooked that detail. I appreciate you bringing it to my attention.

@BPry & @akuzhuppilly 

 

One last question with respect to this topic, so this certificate gets renewed automatically?

Cyber Elite
Cyber Elite

@M.Sharma415844,

No, it's not renewed automatically. Generally best practice is that you would generate a certificate for the management interface through your organizations PKI system. Some people will generate a self-signed certificate and import it into the trust store of the machines that will be used to monitor the firewall if they don't have an internal PKI in place.

 

Like anything else you want to have some sort of unexpired certificate installed on the management interface, whether that's issued by your organization's PKI or self-signed on the firewall and imported into the machines that will be monitoring the system. You don't want to train your firewall administrators to just bypass the certificate warning without validating the certificate as you're essentially training poor behavior. If someone is used to just bypassing a certificate warning it makes it easier to intercept their traffic and proxy the connection as they've already been trained to just bypass the certificate warning that such an attack would present.

  • 2 accepted solutions
  • 1387 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!