Focus

Certificate Management Features

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Decryption Features

Management Features

Certificate Management Features

Learn about new Certificate Management features in PAN-OS 11.1.

Automatic Certificate Renewal for Passive HA Devices

October 2025

Introduced in PAN-OS 11.1.12.

Previously, in HA Active/Passive pairs with service routes configured for Palo Alto Networks services or DNS servers, it was impossible to renew device certificates on the passive device because the passive device's dataplane functions are down. Starting with this PAN-OS® release, the passive device can have service routes configured and receive certificate updates and renewals through its HA interface connected to the active device. You do not have to configure or change your network security policy to perform this function; the process happens automatically when a certificate is near its expiry date. This allows your HA pair to maintain up to date and secure connections with Palo Alto Networks licenses and services even after a failover event.

You can verify if the passive device has successfully renewed a certificate using the following CLI command:

show device-certificate status

It's recommended that you enable encryption on the HA link, otherwise you will receive the following system log during the renewal process: HA1 link is used without encryption.

TLSv1.3 Support for Administrative Access Using SSL/TLS Service Profiles

November 2023

Introduced in PAN-OS 11.1.0

You can now configure TLSv1.3 for administrative access to Next-Generation Firewalls (NGFWs) and other management interfaces and manage cipher suites directly in an SSL/TLS service profile. In the SSL/TLS service profile, you can select TLSv1.3 as the minimum and maximum supported TLS version. Selecting TLSv1.3 automatically enables a set of modern and secure cipher suites. Additionally, you can customize key exchange algorithms, encryption algorithms, and authentication algorithms without using the command line interface (CLI). TLSv1.3 improves the security and performance of administrative connections. The protocol removes support for vulnerable algorithms, mandates perfect forward secrecy, and reduces connection latency through a faster TLS handshake.

You can only use TLSv1.3-enabled SSL/TLS service profiles for administrative access and GlobalProtect® portals and gateways.

Decryption Features

Management Features

Next-Generation Firewall Docs

Certificate Management Features

Next-Generation Firewall Docs

Certificate Management Features

Automatic Certificate Renewal for Passive HA Devices

TLSv1.3 Support for Administrative Access Using SSL/TLS Service Profiles

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner