I had an issue where I was replacing an expiring PKI certificate in the Palo Alto firewall. The certificate imported was successful and it chained correctly under the intermediate and root certificate. However, when I tried referencing the new certificate in the security rule it was not available.

Turnouts out that I had nested devices in my device group.

Firewall 1

  • Firewall 1.1
  • Firewall 1.2

Based on that design, Firewall 1.1 and. 1.2 had the target groups defined including the user ID master device. But the the main master template - Firewall 1 had no definitions. This meant that even after importing the PKI certificate successfully, committing to Panorama and pushing to device, the certificate did not have a defined template to use.

To solve the problem, navigate to the Panorama tab > Device Groups > Firewall 1 (master template missing the definitions). Click on it to open the configurations. On the lower right hand side under the "Reference Templates" field, add the desired template containing the newly imported PKI certificate and click OK.

Apply changes to Panorama and push to device.