About mcrowley

Did anyone get a satisfactory answer on this?   Like some of those above, I am attempting to renew the SAML Signing Certificate for Azure AD. Once you click "new", "save" in the Azure portal, you can download a new XML file and this XML file imports without error in PanOS - however PanOS is importing the PREVIOUS signing certificate, despite the XML referencing the new certificate.   i.e., the XML starts with:   <RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"> <KeyDescriptor use="signing"> <KeyInfo> <X509Data> <X509Certificate>   ...and references the NEW certificate, however the PanOS UI simply shows the OLD certificate twice in the certificate list.   Is there a bug in PanOS that doesn't understand how to parse certificates from the XML when another SAML profile with the same IDP is present? I certainly don't want to have to destroy the complete SAML configuration on a production system.   None of this was a problem until Palo Alto shot themselves in the foot by disallowing the import of self-signed certificates. Having to re-import a whole SAML server profile to renew a certificate is stupid.   Do I have to backup the entire running config, edit it in notepad with this new cert and import it back?   As you can see in the below, while the new profile references the new cert, the old certificate shows up instead:   ... View more