Palo Alto | Forcing Device Certificates to Use the Newer Intermediate Certificate
There are situations where Palo Alto device certificates used for the Web Interface or GlobalProtect and issued by 3rd party PKI servers such as ADCS will expire because their root CA or intermediate CA certificates are also expiring. In these cases, the certificates must be renewed. However, there is a minor bug in Palo Alto devices: if two intermediate certificates share the same issuer (the root CA) but have different expiration dates, all imported certificates from that issuer will incorrectly be associated with the older intermediate certificate. For example: A Palo Alto firewall is using a 3rd PKI (Microsoft ADCS) to issue private certificates for the Web Console and GlobalProtect portals/gateways. Palo Alto contains the following certificates installed under Device > Certificate Management > Certificates Root CA Old Intermediate Cert To be expired soon/already expired Current Global Protect cert...