Change a Root or Intermediate CA Certificate

Complete the following task to replace a root or intermediate CA certificate.
  1. Configure the server to accept predefined certificates from clients.
    1. Select PanoramaSetupManagement and Edit the Panorama Settings.
    2. Uncheck Custom Certificate Only.
    3. Select None from the Certificate Profile drop-down.
    4. Click OK.
    5. Commit your changes.
  2. Deploy the new root or intermediate CA certificate.
    You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
  3. Update the CA certificate in the server certificate profile.
    1. Select PanoramaCertificate ManagementCertificate Profile and select the certificate profile to update.
    2. Delete the old CA certificate.
    3. Add the new CA Certificate.
    4. Click OK.
  4. Generate or import the new client certificate.
    1. Select DeviceCertificate ManagementCertificates.
    2. Create a self-signed root CA certificate or import a certificate from your enterprise CA.
  5. Update the CA certificate in the client certificate profile.
    1. Select DeviceSetupManagement and click the Edit icon in Panorama Settings for a firewall or Select PanoramaManaged CollectorsAddCommunication for a Log Collector and select the certificate profile to update.
    2. Delete the old CA certificate.
    3. Add the new CA Certificate.
    4. Click OK.
  6. After updating the CA certificates on all managed devices, enforce custom-certificate authentication.
    1. Select PanoramaSetupManagement and Edit the Panorama Settings.
    2. Select Custom Certificate Only.
    3. Click OK.
    4. Commit your changes.
      After committing this change, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the device fails.

Related Documentation