Change a Root or Intermediate CA Certificate

Complete the following task to replace a root or intermediate CA certificate.
  1. Configure the server to accept predefined certificates from clients.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the Panorama Settings.
    2. Uncheck
      Custom Certificate Only
      .
    3. Select
      None
      from the Certificate Profile drop-down.
    4. Click
      OK
      .
    5. Commit
      your changes.
  2. Deploy the new root or intermediate CA certificate.
    You can deploy certificates on Panorama or a server Log Collector by generating a self-signed certificate on Panorama or obtaining a certificate from your enterprise CA or a trusted third-party CA.
  3. Update the CA certificate in the server certificate profile.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      and select the certificate profile to update.
    2. Delete
      the old CA certificate.
    3. Add
      the new CA Certificate.
    4. Click
      OK
      .
  4. Generate or import the new client certificate.
    1. Select
      Device
      Certificate Management
      Certificates
      .
  5. Update the CA certificate in the client certificate profile.
    1. Select
      Device
      Setup
      Management
      and click the
      Edit
      icon in Panorama Settings for a firewall or Select
      Panorama
      Managed Collectors
      Add
      Communication
      for a Log Collector and select the certificate profile to update.
    2. Delete
      the old CA certificate.
    3. Add
      the new CA Certificate.
    4. Click
      OK
      .
  6. After updating the CA certificates on all managed devices, enforce custom-certificate authentication.
    1. Select
      Panorama
      Setup
      Management
      and
      Edit
      the Panorama Settings.
    2. Select
      Custom Certificate Only
      .
    3. Click
      OK
      .
    4. Commit
      your changes.
      After committing this change, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the device fails.

Related Documentation