>
    Strata Copilot
    Renew Certificates Using Next-Gen Trust Security
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Objects
    7. Certificate Management
    8. Strata Cloud Manager Integration with Next-Gen Trust Security
    9. Renew Certificates Using Next-Gen Trust Security
    Download PDF
    Strata Cloud Manager

    Renew Certificates Using Next-Gen Trust Security

    Table of Contents

    Renew Certificates Using Next-Gen Trust Security

    Renew expiring certificates using Next-Gen Trust Security with enterprise-approved certificate authorities.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Secure-Flex Credits
    • Superuser role for Strata Cloud Manager Shared Services
    • PKI administrator must configure issuing templates in the Next-Gen Trust Security console and link them to the NGFW application - see Configure a Certificate Authority and Get Started with Integrations
    • Certificate must be in Managed status
    Certificate renewal through Next-Gen Trust Security generates new certificates using enterprise-approved certificate authorities and cryptographic settings. When you initiate renewal from the Network Trust Security page in Strata Cloud Manager, Next-Gen Trust Security creates a new private key and certificate signing request (CSR) based on your issuing template settings, submits the CSR to a certificate authority, and imports the renewed certificate with its private key back into Strata Cloud Manager. Only managed certificates can be renewed through Next-Gen Trust Security.
    Your PKI administrator must configure issuing templates in the Next-Gen Trust Security console and link them to the NGFW application. Issuing templates are policies that define cryptographic standards for certificate generation, including key algorithm and length, allowed Subject and SANs, certificate validity period, and extended key usage fields.
    1. Verify prerequisites.
      1. Ensure the certificate you want to renew has Managed status. If not, see Manage Certificates in Next-Gen Trust Security.
      2. Verify that your PKI administrator has configured an issuing template linked to the NGFW application in the Next-Gen Trust Security console.
    2. Initiate renewal.
      1. Navigate to InsightsSecurityNetwork Trust Security.
      2. Locate the certificate you want to renew in the table.
      3. Click Renew in the certificate's row.
    3. Monitor renewal progress.
      The renewal process:
      1. Next-Gen Trust Security generates a new private key and CSR based on issuing template settings
      2. Next-Gen Trust Security encrypts the private key
      3. Submits the CSR to a certificate authority
      4. Receives the signed certificate from the CA
      5. Imports the certificate and its private key to Strata Cloud Manager
      The renewal status updates in the certificate table.
    4. Push configuration to firewalls.
      After successful renewal:
      • The certificate in your Strata Cloud Manager configuration updates with the new certificate and private key
      • The imported certificate's trust chain may be different than it was for the previous certificate if the issuer changed
      • The expiration date reflects the new certificate's validity period
      • The certificate remains in Managed status
      • You must manually push the updated configuration to your firewalls to complete the certificate update
      If you renew a managed certificate manually in Strata Cloud Manager (outside of the Next-Gen Trust Security workflow), the certificate becomes unmanaged. You must re-manage it through the Network Trust Security page to continue using Next-Gen Trust Security renewal capabilities.
    Troubleshooting Renewal Issues
    If renewal takes longer than expected or fails:
    1. Verify issuing template configuration:
      • Log in to the Next-Gen Trust Security console
      • Navigate to ConfigurationCertificate PoliciesIssuing Templates
      • Locate your issuing template in the list
      • Click on the issuing template to open its details
      • Verify the issuing template is linked to the NGFW application:
        • Look for the NGFW application in the Linked Applications section
        • If not linked, click Link Application and select NGFW from the list
      • Check that cryptographic settings (key algorithm, Subject and SANs, validity period) are valid
    2. Verify certificate authority accessibility:
      • In the Next-Gen Trust Security console, navigate to ConfigurationCertificate Authorities
      • Locate your certificate authority in the list
      • Check the Status column - it should show Active with a green indicator
      • Click on the CA to view detailed status information
      • To test connectivity:
        • In the CA details page, look for a Test Connection or Validate button
        • Click to test that Next-Gen Trust Security can reach the CA
        • Verify the test completes successfully
      • If the test fails or status shows errors, check CA logs for rejection or processing errors
    3. Review renewal status:
      • Return to the Network Trust Security page in Strata Cloud Manager
      • Check the renewal status column for error messages
      • If the status shows an error, hover over or click for details
    4. Contact support:
      • If issues persist after verification, review the Next-Gen Trust Security troubleshooting documentation
      • Contact your PKI administrator to verify the CA and issuing template configuration
      • For complex issues, open a support case with details about the certificate and error messages

    © 2026 Palo Alto Networks, Inc. All rights reserved.