On November 18th, 2024, the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with a Palo Alto firewall will expire, causing all communication to fail.
Palo Alto Networks has made new versions of the User-ID and TS agents with updated certificates that will expire on January 1st, 2032.
Before upgrading the User-ID or TS agent, you must upgrade your Palo Alto firewall to a version that supports the updated User-ID and TS agent certificate. Check the Palo Alto advisory here to determine which PAN-OS version you need.
If you want to know how to upgrade a Palo Alto firewall using CLI my blog post Upgrade Palo Alto HA Pair (Active/Passive) with CLI covers the entire process. If you want to upgrade your Palo Alto firewall using the GUI, my blog post, Upgrade Palo Alto Firewall HA Pair (Active/Passive), covers the entire process.
Once you’ve upgraded your Palo Alto firewall, you can upgrade the User-ID and TS agents to the new version.
My blog post, Palo Alto User-ID Agent Upgrade, details the entire upgrade process for the User-ID agent. My blog post, Palo Alto Terminal Server Agent Upgrade, details the upgrade process for the Terminal Server agent.
After I upgraded my User-ID and TS agents, I wanted to validate that everything was using the new certificates before the expiry deadline. I couldn’t find a straightforward way to check. However, I figured out a way.
In this post, I will detail step-by-step how to check the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with PAN-OS.
The Process
- Connect to the system that has the Palo Alto User-ID or TS agent installed and browse to the installation directory.
User-ID is typically installed to C:\Program Files (x86)\Palo Alto Networks\User-ID Agent
TS Agent is typically installed to C:\Program Files\Palo Alto Networks\Terminal Server Agent
- Open the
ca-cert.pem
file with notepad.
- Copy the certificate to a certificate decoder.
I like to use CyberChef. Here’s the recipe I used.
When you paste the certificate, you should get an output like this.
If the Not After date says 01/01/2032, you have already upgraded and are safe until 2032.
If the Not After date says 18/11/2024, you must upgrade your Palo Alto User-ID or TS Agent to get the new certificate.
That’s all it takes to check the certificate expiry date on the Palo Alto User-ID agent or the Palo Alto Terminal Server agent.