Focus

Next-Generation Firewall

Revoke and Renew Certificates

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure the Key Size for SSL Forward Proxy Server Certificates

Master Key Encryption

Revoke and Renew Certificates

Learn how to revoke and renew certificates.

Revoke a Certificate

Learn how to revoke a certificate when an NGFW is the certificate authority (CA).

Various circumstances can invalidate a certificate before the expiration date. Some examples are a change of name, change of association between subject and certificate authority (for example, an employee terminates employment), and compromise (known or suspected) of the private key. Under such circumstances, the certificate authority (CA) that issued the certificate must revoke it. The following task describes how to revoke a certificate for which the firewall is the CA.

Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
If the firewall supports multiple virtual systems, the tab displays a Location drop-down. Select the virtual system to which the certificate belongs.
Select the certificate to revoke.
Click Revoke. PAN-OS immediately sets the status of the certificate to revoked and adds the serial number to the Online Certificate Status Protocol (OCSP) responder cache or certificate revocation list (CRL). You need not perform a commit.

Renew a Certificate

Follow these steps to renew a certificate from an external CA or when the firewall is the CA.

If a certificate expires, or soon will, you can reset the validity period. If an external certificate authority (CA) signed the certificate and the firewall uses the Online Certificate Status Protocol (OCSP) to verify certificate revocation status, the firewall uses the OCSP responder information to update the certificate status (see Configure an OCSP Responder). If the firewall is the CA that issued the certificate, the firewall replaces it with a new certificate that has a different serial number but the same attributes as the old certificate.

Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
Select a certificate to renew and click Renew.
Enter a New Expiration Interval (in days).
Click OK and Commit.

Configure the Key Size for SSL Forward Proxy Server Certificates

Master Key Encryption

Next-Generation Firewall Docs

Revoke and Renew Certificates

Next-Generation Firewall Docs

Revoke and Renew Certificates

Revoke a Certificate

Renew a Certificate

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner