The certificate authorities (CAs) that the firewall
trusts by default are updated in PAN-OS 8.1; new trusted root CAs
are added and expired CAs are removed. The pre-installed list of
CAs includes the most common and trusted certificate providers responsible
for issuing the certificates the firewall requires to secure connections
to the internet. Because the firewall trusts these CAs by default,
the only additional CAs you might want to add are any trusted enterprise
CAs that your organization requires.