Setting up certificates for Palo Alto Networks PAN-OS systems

You must set up the certificate and SSL/TLS Service Profile on the PAN-OS system before you can connect using Privileged Access Service.

For configuration information, see the PAN-OS Web Interface Reference and the PAN-OS Admin Guide:

Once the PAN-OS system is configured, the same certificate must also be trusted in all connector systems that are connected to the PAN-OS system. In most cases, PAN-OS systems should use a certificate obtained from an Enterprise Certificate Authority (CA), or a trusted external CA, like VeriSign. Since the certificate is trusted already, it simplifies the certificate setup on connector systems. You can also export the certificate from the PAN-OS system and import it into all systems running the connector. Self-signed certificates should not be used in production environments.

Note:   Palo Alto Networks PAN-OS system accounts are managed using an API via HTTPS. A secure channel is required between the connector and the Palo Alto Networks PAN-OS system. Certificates are typically issued to a fully qualified domain name (FQDN). Therefore, if an IP address is provided instead, the server certificate may not be validated.

Verifying certificate configuration

To verify that the certificate is trusted in the connector, connect to the PAN-OS Web UI ("https://<PAN-OS hostname/IP Address>") using a browser and verify that the connection is secure. If the connection is secure, the SSL/TLS secure management channel is established.

  • If an error occurs while establishing the SSL connection, review the supported SSL/TLS protocol versions and cipher suites.
  • If an error occurs indicating that the server certificate cannot be validated, check the connector and target certificate settings, including root CA, subject names, and validity.

For more information about password and system management for Palo Alto Networks PAN-OS systems, see the following topics: