Skip to content

Instantly share code, notes, and snippets.

@kevinsteves

kevinsteves/device-certificates.md

Last active March 21, 2023 09:52
Show Gist options
  • Save kevinsteves/ce1273d48198c645a9d797107fe80564 to your computer and use it in GitHub Desktop.
Save kevinsteves/ce1273d48198c645a9d797107fe80564 to your computer and use it in GitHub Desktop.
Download ZIP
PAN-OS Device Certificates
Raw
device-certificates.md

PAN-OS Device Certificates

PAN-OS firewalls and Panorama require a device certificate to authenticate to certain cloud services including Cortex Data Lake, Device Telemetry and IoT Security.

A device certificate, which is also referred to as a thermite certificate, is obtained using various mechanisms, including automatically for Zero Touch Provisioning (ZTP) enabled hardware firewalls, and manually by generating a one-time password (OTP).

Certificate Validity Period

The validity period of a device certificate is 90 days, and a new certificate will be automatically obtained 15 days prior to expiration.

admin@PA-460-2(active)> show device-certificate status


Device Certificate information:
        Current device certificate status: Valid
        Not valid before: 2023/02/19 12:18:39 PST
        Not valid after: 2023/05/20 13:18:39 PDT
        Last fetched timestamp: 2023/02/19 12:28:40 PST
        Last fetched status: success
        Last fetched info: Successfully fetched Device Certificate

Certificate Chain

Palo Alto Networks operates a private certificate authority (CA) that issues device certificates, with the following hierarchy as of March 2023:

flowchart TB
A(["Root CA<br/>CN = Palo Alto Networks Inc.-Root-CA G1<br/>RSA 3072, SHA-384<br/>Expires May 24 2027"])
A-->|self sign|A
A-->|sign|B(["Intermediate CA<br/>CN = Palo Alto Networks Inc.-Intermediate-SJC-CA G1<br/>RSA 3072, SHA-384<br/>Expires May 24 2027"])
B-->|sign|C(["Intermediate CA<br/>CN = USC-Client-Issuing-CA2-G3<br/>RSA 3072, SHA-384<br/>Expires Aug 13 2024"])
C-->|sign|D([Device Certificate<br/>CN = device serial number<br/>RSA 4096, SHA-384])
C-->|sign|E([Device Certificate])
C-->|sign|F([Device Certificate])
Loading

The certificate chain starting from the device certificate to the root CA certificate can be viewed with the CLI command show device-certificate info.

Device Certificate

The device certificate subject or Distinguished Name (DN) contains identifying information for the device including what authentication method was used when the certificate was obtained.

admin@PA-460-2(active)> show device-certificate info 

 0: Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6a:c8:85:6a:a6:75:b4:60:d2:f3:fb:79:27:a4:0e:9e:ce:2c:75:b8
        Signature Algorithm: sha384WithRSAEncryption
        Issuer: CN = USC-Client-Issuing-CA2-G3, O = Palo-Alto-Networks-Inc., C = US
        Validity
            Not Before: Feb 19 20:18:39 2023 GMT
            Not After : May 20 20:18:39 2023 GMT
        Subject: CN = 023001000001, O = Palo Alto Networks, L = Santa Clara, ST = CA, C = US, 1.3.6.1.4.1.25461.4.22.1 = tpm, 1.3.6.1.4.1.25461.4.22.2 = panos, 1.3.6.1.4.1.25461.4.22.3 = 023001000001

The subject attributes in the device certificate are:

Attribute Value
CN device serial number
O "Palo Alto Networks"
L "Santa Clara"
ST CA
C US
1.3.6.1.4.1.25461.4.22.1 cert auth method
1.3.6.1.4.1.25461.4.22.2 device type
1.3.6.1.4.1.25461.4.22.3 device serial number

25461 is the Private Enterprise Number (PEN) assigned to Palo Alto Networks.

The OID 1.3.6.1.4.1.25461.4.22.1 specifies the method that was used to authenticate the certificate and can include:

  • tpm - random from Zero Touch Provisioning (ZTP) supported hardware

  • otp - one-time password

  • pin - registration PIN

  • others? - unknown

The OID 1.3.6.1.4.1.25461.4.22.2 specifies the device type and can include:

  • panos - Firewall

  • panorama - Panorama

  • others? - unknown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment