The certificate authorities (CAs) that the firewall trusts by default are updated in PAN-OS 8.1; new trusted root CAs are added and expired CAs are removed. The pre-installed list of CAs includes the most common and trusted certificate providers responsible for issuing the certificates the firewall requires to secure connections to the internet. Because the firewall trusts these CAs by default, the only additional CAs you might want to add are any trusted enterprise CAs that your organization requires.

To view and manage the list of CAs that the firewall trusts by default, select

Device

Certificate Management

Certificates

Default Trusted Certificate Authorities

. For details on the different keys and certificates that the firewall uses, and how to obtain and manage them, seeCertificate Management.