Change a Root or Intermediate CA Certificate

Configure the server to accept predefined certificates from clients.
Select
Panorama
Setup
Management
and
Edit
the Panorama Settings.
Uncheck
Custom Certificate Only
.
Select
None
from the Certificate Profile drop-down.
Click
OK
.
Commit
your changes.
Deploy the new root or intermediate CA certificate.
You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
Update the CA certificate in the server certificate profile.
Select
Panorama
Certificate Management
Certificate Profile
and select the certificate profile to update.
Delete
the old CA certificate.
Add
the new CA Certificate.
Click
OK
.
Generate or import the new client certificate.
Select
Device
Certificate Management
Certificates
.
Create a self-signed root CA certificate or import a certificate from your enterprise CA.
Update the CA certificate in the client certificate profile.
Select
Device
Setup
Management
and click the
Edit
icon in Panorama Settings for a firewall or Select
Panorama
Managed Collectors
Add
Communication
for a Log Collector and select the certificate profile to update.
Delete
the old CA certificate.
Add
the new CA Certificate.
Click
OK
.
After updating the CA certificates on all managed devices, enforce custom-certificate authentication.
Select
Panorama
Setup
Management
and
Edit
the Panorama Settings.
Select
Custom Certificate Only
.
Click
OK
.
Commit
your changes.
After committing this change, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the device fails.