We have two Panorama devices running in HA (active/Passive) mode with PAN-OS 10.0.5.
And there is a Certification authority and self sign certificate generated under certificates for panorama management access in the active device. referencing this self signed certificate SSL/TLS service profile has been created and the same is called in general settings under setup menu. The management portal is accessible with the new certificate in the active device after the commit.
The passive device is also synced with the same CA and Self Signed and other settings from active device.
now the issue is the passive panorama is also using the same self signed certificate as that of active.
Ideally device Self signed certificate shouldn't synced with the passive, the passive device should use it own self signed certificate generated locally but the passive device does not allow to generate a certificate as it is in passive mode.
With a force failover, i might be able to create a self signed certificate in active (which was earlier passive), but this will again sync the same config to passive device.
Please let me know if you guys has any suggestions.
... View more