You can add a new certificate to your SSL Inbound Inspection
decryption rule while an old certificate is still valid.
You can now configure
SSL Inbound Inspection policy
rules with up to 12 server certificates. Newly added support for multiple
certificates enables you to update certificates on your protected
servers without decryption downtime. You can also configure rules
to decrypt and inspect traffic to servers that host multiple domains,
each with a different certificate.
To ensure a valid certificate
is always available, import the new server certificate and key on
your firewall and add it to your Decryption policy rule before updating
your web server. The firewall uses the old but valid server certificate
to proxy the connection between the client and your internal server
to decrypt and inspect inbound SSL/TLS traffic. After you install
the new certificate on your server, the firewall will use it for
new SSL/TLS connections as long as the certificate in your SSL Inbound
Inspection policy rule matches the server certificate. If a certificate mismatch
occurs, the session ends, and the Decryption log entry reports the session-end
reason as a firewall and server certificate mismatch.
(Panorama ™)
Support for multiple certificates in SSL Inbound Inspection policy
rules is unavailable in PAN-OS versions earlier than 10.2. If you
push an SSL Inbound Inspection policy rule with multiple certificates
from a Panorama management server running PAN-OS ® 10.2
to a firewall running an earlier version, only one certificate is
preserved in the policy rule on the firewall.
Before pushing
your Decryption policy rule from Panorama, we recommend you set
up different
templates or
device groups for firewalls running
PAN-OS 10.1 and earlier to ensure you
push the correct policy rule and
certificate to the appropriate firewalls.
Perform
the following steps to update your firewall and SSL Inbound Inspection rule
with a newly issued server certificate.