Strata Copilot
    Panorama Administrator's Guide
    : Migrate Panorama SC3 Certificates During Appliance Migration
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Set Up Panorama
    5. Transition to a Different Panorama Model
    6. Migrate Panorama SC3 Certificates During Appliance Migration
    Download PDF

    Panorama Administrator's Guide

    Migrate Panorama SC3 Certificates During Appliance Migration

    Table of Contents

    Migrate Panorama SC3 Certificates During Appliance Migration

    Migrate Panorama SC3 certificates effortlessly during appliance migration. Ensure managed firewalls auto-reconnect, eliminating manual intervention
    (PAN-OS 11.1.8 and later 11.1 releases and PAN-OS 11.2.5 and later releases only) When migrating configuration management from one Panorama appliance to another, you must copy the device certificates to the new Panorama for any firewalls originally onboarded using an authkey. This ensures that the NGFW devices establish a secure connection with the new Panorama automatically, without going through the re-onboarding process. The Panorama Secure Common Criteria (SC3) certificate migration feature enables this seamless transfer of SC3 trust infrastructure during an appliance migration (including virtual appliances) restoring the original trust infrastructure on a new Panorama device.
    • The migration process collects the required files from the source Panorama into a single, encrypted sc3migration bundle.
    • The system integrates the restored SC3 certificate infrastructure into your environment after you import the encrypted bundle to the new Panorama.
    • The new certificate infrastructure becomes active only after you restart the management server.
    • The existing managed firewalls automatically trust and reconnect to the new Panorama because the system preserves the original SC3 trust infrastructure.
    • This feature supports standalone Panorama migrations during appliance migration.
    For a seamless transition, ensure that you meet the following prerequisites before starting the migration:
    • Ensure that both the old and new Panorama devices have the same IP address. This is essential for managed firewalls to automatically connect to the new Panorama.
    • Load the configuration of the old unit onto your new Panorama.
    • Configure the exact same Master Key on the new device if you used a custom Master Key on the source device. For more information on Master Key Management, see Manage the Master Key from Panorama.
    • Verify that an external SCP server is available and reachable by both your source and target Panorama devices for file transfer.

    Back Up SC3 Certificates from Your Source Panorama

    1. Log in to the CLI of your source Panorama.
    2. Generate the SC3 backup bundle on your source Panorama. Enter the following command: 
      request sc3 backup
      This command generates an encrypted bundle of your SC3 Certificate Authority, Phosphorus keys, and PEM files.
    3. Export the encrypted SC3 backup file to an external SCP server. Enter the following command:
      scp export sc3-backup from sc3migration to <user>@<host>:<path>
      The file sc3migration is encrypted using the Master Key of the device for security during transit.
      In HA deployments, ensure that you first perform this procedure on the Active Panorama.

    Restore SC3 Certificates to Your Target Panorama

    Before proceeding, ensure that you meet the following prerequisites for the new Panorama:
    • The Panorama device is licensed.
    • The configuration is imported, loaded, and committed.
    • Firewalls and log collectors are onboarded and in disconnected state.
    1. Log in to the CLI of your new Panorama.
    2. Import the SC3 backup file from the SCP server to your new Panorama. Enter the following command: 
      scp import sc3-restore from <user>@<host>:<path>/sc3migration
      This command imports the encrypted SC3 backup bundle, decrypting and restoring the SC3 trust infrastructure. A successful import displays the following:
      SC3 certs has been restored!
    3. Restart the management server on your new Panorama. Enter the following command: 
      debug software restart management-server
      This restarts the management server to activate the newly restored SC3 certificate infrastructure, enabling your managed firewalls to reconnect seamlessly.
    4. (HA Only) Repeat steps 1 to 3 for backup and restore on Passive Panoramas.

    Troubleshooting

    If the migration is unsuccessful or devices do not reconnect, refer to the following logs and common issues.
    • /var/log/pan/sc3migration.log: Look for messages indicating "SC3 Backup success" or "Restored SC3 CA".
    • /var/log/pan/configd.log:: Monitor this file for general Op-cmd execution errors.

    © 2026 Palo Alto Networks, Inc. All rights reserved.