Focus

Next-Generation Firewall

Certificate Management Features

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Panorama Features

Decryption Features

Certificate Management Features

Learn about new Certificate Management features in PAN-OS 12.1.

The following section describes new certificate management features introduced in PAN-OS 12.1.

Automatic Certificate Renewal for Passive HA Devices

September 2025

Introduced in PAN-OS 12.1.3

Previously, in HA Active/Passive pairs with service routes configured for Palo Alto Networks services or DNS servers, it was impossible to renew device certificates on the passive device because the passive device's dataplane functions are down. Starting with this PAN-OS® release, the passive device can have service routes configured and receive certificate updates and renewals through its HA interface connected to the active device. You do not have to configure or change your network security policy to perform this function; the process happens automatically when a certificate is near its expiry date. This allows your HA pair to maintain up to date and secure connections with Palo Alto Networks licenses and services even after a failover event.

You can verify if the passive device has successfully renewed a certificate using the following CLI command:

show device-certificate status

It's recommended that you enable encryption on the HA link, otherwise you will receive the following system log during the renewal process: HA1 link is used without encryption.

PAN-OS System Certificates

August 2025

Introduced in PAN-OS 12.1.2

Gaining comprehensive visibility into all internal firewall certificates can be a challenge, often requiring manual checks across various system components and increasing the risk of human error. The Firewall Web Interface addresses this by displaying a centralized list of all internal Palo Alto Networks® certificates under DeviceCertificate ManagementCertificatesPAN-OS System Certificates.

This new feature provides a single, unified location for managing critical assets. You can easily review certificate details, check expiration dates, and track the overall status of system certificates without navigating to multiple sections of the firewall. By consolidating this information, this feature reduces the time and effort needed for audits and compliance checks.

Panorama Features

Decryption Features

Next-Generation Firewall Docs

Certificate Management Features

Next-Generation Firewall Docs

Certificate Management Features

Automatic Certificate Renewal for Passive HA Devices

PAN-OS System Certificates

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner