Palo Alto Device Certificate

Palo Alto Device Certificate

Palo Alto Networks firewalls often require a device certificate. A device certificate is needed for items like device telemetry and for some of the CDSS (Cloud-Delivered Security Services) items, such as WildFire, DNS and URL filtering, and others.

In this post, I show you step-by-step how to check if a device certificate is installed and how to install a device certificate on a Palo Alto Networks firewall.

Before we proceed with installing the device certificate, we should double-check whether the firewall already has one.

Checking Device Certificate

CLI

If the result is No device certificate found, move ahead with installing the device certificate.

GUI

With the GUI, you can also check if a device certificate exists in another place.

If there is no device certificate installed, we can move ahead with installing the device certificate.

Installing Device Certificate

We will use the OTP to retrieve and install the device certificate.

CLI

For me, that command will look like request certificate fetch otp 2aa

If you want to monitor the progress of the device certificate installation, run the following command with your job id show jobs id

GUI

Closing

That’s all it takes to install a device certificate on a Palo Alto Networks firewall. If you use HA, you must perform these steps on each firewall individually. The certificates will automatically renew 15 days before they expire.

If you want to read more about installing the device certificate, here is the Palo Alto documentation.

Exit mobile version