Focus

Certificate Management Features

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Decryption Features

Management Features

Certificate Management Features

Learn about new Certificate Management features in PAN-OS 11.1.

Automatic Certificate Renewal for Passive HA Devices

October 2025

Introduced in PAN-OS 11.1.12.

Previously, in HA Active/Passive pairs with service routes configured for Palo Alto Networks services or DNS servers, it was impossible to renew device certificates on the passive device because the passive device's dataplane functions are down. Starting with this PAN-OS® release, the passive device can have service routes configured and receive certificate updates and renewals through its HA interface connected to the active device. You do not have to configure or change your network security policy to perform this function; the process happens automatically when a certificate is near its expiry date. This allows your HA pair to maintain up to date and secure connections with Palo Alto Networks licenses and services even after a failover event.

You can verify if the passive device has successfully renewed a certificate using the following CLI command:

show device-certificate status

It's recommended that you enable encryption on the HA link, otherwise you will receive the following system log during the renewal process: HA1 link is used without encryption.

TLSv1.3 Support for Administrative Access Using SSL/TLS Service Profiles

November 2023

Introduced in PAN-OS 11.1.0

Previously, you could not configure TLSv1.3 support for administrative access in the standard SSL/TLS service profile. In addition, you could only manage cipher suites using the command line interface (CLI). PAN-OS® 11.1 solves these challenges by enhancing the SSL/TLS service profile.

You can now select TLSv1.3 as the minimum and maximum supported TLS version directly in an SSL/TLS service profile. Selecting TLSv1.3 automatically enables a set of modern and secure cipher suites. Additionally, you can customize key exchange algorithms, encryption algorithms, and authentication algorithms without using the CLI.

You can only use TLSv1.3-enabled SSL/TLS service profiles for administrative access and GlobalProtect® portals and gateways.

TLSv1.3 improves the security and performance of administrative connections to your Next-Generation Firewalls and other management interfaces. The protocol removes support for vulnerable algorithms, mandates perfect forward secrecy, and reduces connection latency through a faster TLS handshake.

Decryption Features

Management Features

Next-Generation Firewall Docs

Certificate Management Features

Next-Generation Firewall Docs

Certificate Management Features

Automatic Certificate Renewal for Passive HA Devices

TLSv1.3 Support for Administrative Access Using SSL/TLS Service Profiles

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner