PAN-OS firewalls and Panorama require a device certificate to authenticate to certain cloud services including Cortex Data Lake, Device Telemetry and IoT Security.
A device certificate, which is also referred to as a thermite certificate, is obtained using various mechanisms, including automatically for Zero Touch Provisioning (ZTP) enabled hardware firewalls, and manually by generating a one-time password (OTP).
The validity period of a device certificate is 90 days, and a new certificate will be automatically obtained 15 days prior to expiration.
admin@PA-460-2(active)> show device-certificate status
Device Certificate information:
Current device certificate status: Valid
Not valid before: 2023/02/19 12:18:39 PST
Not valid after: 2023/05/20 13:18:39 PDT
Last fetched timestamp: 2023/02/19 12:28:40 PST
Last fetched status: success
Last fetched info: Successfully fetched Device Certificate
Palo Alto Networks operates a private certificate authority (CA) that issues device certificates, with the following hierarchy as of March 2023:
flowchart TB
A(["Root CA<br/>CN = Palo Alto Networks Inc.-Root-CA G1<br/>RSA 3072, SHA-384<br/>Expires May 24 2027"])
A-->|self sign|A
A-->|sign|B(["Intermediate CA<br/>CN = Palo Alto Networks Inc.-Intermediate-SJC-CA G1<br/>RSA 3072, SHA-384<br/>Expires May 24 2027"])
B-->|sign|C(["Intermediate CA<br/>CN = USC-Client-Issuing-CA2-G3<br/>RSA 3072, SHA-384<br/>Expires Aug 13 2024"])
C-->|sign|D([Device Certificate<br/>CN = device serial number<br/>RSA 4096, SHA-384])
C-->|sign|E([Device Certificate])
C-->|sign|F([Device Certificate])
The certificate chain starting from the device certificate to the root
CA certificate can be viewed with the CLI command show device-certificate info
.
The device certificate subject or Distinguished Name (DN) contains identifying information for the device including what authentication method was used when the certificate was obtained.
admin@PA-460-2(active)> show device-certificate info
0: Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6a:c8:85:6a:a6:75:b4:60:d2:f3:fb:79:27:a4:0e:9e:ce:2c:75:b8
Signature Algorithm: sha384WithRSAEncryption
Issuer: CN = USC-Client-Issuing-CA2-G3, O = Palo-Alto-Networks-Inc., C = US
Validity
Not Before: Feb 19 20:18:39 2023 GMT
Not After : May 20 20:18:39 2023 GMT
Subject: CN = 023001000001, O = Palo Alto Networks, L = Santa Clara, ST = CA, C = US, 1.3.6.1.4.1.25461.4.22.1 = tpm, 1.3.6.1.4.1.25461.4.22.2 = panos, 1.3.6.1.4.1.25461.4.22.3 = 023001000001
The subject attributes in the device certificate are:
Attribute | Value |
---|---|
CN | device serial number |
O | "Palo Alto Networks" |
L | "Santa Clara" |
ST | CA |
C | US |
1.3.6.1.4.1.25461.4.22.1 | cert auth method |
1.3.6.1.4.1.25461.4.22.2 | device type |
1.3.6.1.4.1.25461.4.22.3 | device serial number |
25461
is the Private Enterprise Number (PEN) assigned to Palo Alto
Networks.
The OID 1.3.6.1.4.1.25461.4.22.1
specifies the method that was used
to authenticate the certificate and can include:
-
tpm
- random from Zero Touch Provisioning (ZTP) supported hardware -
otp
- one-time password -
pin
- registration PIN -
others? - unknown
The OID 1.3.6.1.4.1.25461.4.22.2
specifies the device type and can
include:
-
panos
- Firewall -
panorama
- Panorama -
others? - unknown