Manage Firewall and Panorama Certificates

• Device > Certificate Management > Certificates > Custom Certificates
• Panorama > Certificate Management > Certificates

• Forward Trust—The firewall uses this certificate to sign a copy of the server certificate that the firewall presents to clients during SSL Forward Proxy decryption

  when the certificate authority (CA) that signed the server certificate is in the trusted CA list on the firewall.
• Forward Untrust—The firewall uses this certificate to sign a copy of the server certificate the firewall presents to clients during SSL Forward Proxy decryption

  when the CA that signed the server certificate isn't in the trusted CA list on the firewall.
• Trusted Root CA—The firewall uses this certificate as a trusted CA for SSL Forward Proxy decryption

  , GlobalProtect

  , URL Admin Override

  , and Authentication Portal

  . The firewall has a large list of existing trusted CAs. The trusted root CA certificate is for additional CAs that your organization trusts but that are not part of the preinstalled trusted list.
• Certificate for Secure Syslog—The firewall uses this certificate to secure the delivery of logs as syslog messages

  to a syslog server.

Settings to Generate a Certificate	Description
Certificate Type	Select the entity that generates the certificate: Local—The firewall or Panorama generates the certificate. SCEP—A Simple Certificate Enrollment Protocol (SCEP) server generates the certificate and sends it to the firewall or Panorama.
Certificate Name	(Required) Enter a name (up to 63 characters on the firewall or up to 31 characters on Panorama) to identify the certificate. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
SCEP Profile	(SCEP certificates only) Select a SCEP Profile to define how the firewall or Panorama communicates with a SCEP server and to define settings for the SCEP certificate. For details, see Device > Certificate Management > SCEP. You can configure a firewall that serves as a GlobalProtect portal to request SCEP certificates on demand and automatically deploy the certificates to endpoints. The remaining fields in the Generate Certificate dialog do not apply to SCEP certificates. After specifying the Certificate Name and SCEP Profile, click Generate.
Common Name	(Required) Enter the IP address or FQDN that will appear on the certificate.
Shared	On a firewall that has more than one virtual system (vsys), select Shared if you want the certificate to be available to every vsys.
Signed By	To sign the certificate, you can use a certificate authority (CA) certificate that you imported into the firewall. The certificate can also be self-signed, in which case the firewall is the CA. If you are using Panorama, you also have the option of generating a self-signed certificate for Panorama. If you imported CA certificates or issued any on the firewall (self-signed), the drop-down includes the CAs available to sign the certificate that you are creating. To generate a certificate signing request (CSR), select External Authority (CSR). After the firewall generates the certificate and the key pair, you can export the CSR and send it to the CA for signing.
Certificate Authority	Select this option if you want the firewall to issue the certificate. Marking this certificate as a CA allows you to use this certificate to sign other certificates on the firewall.
Block Private Key Export	When you generate a certificate, select this option to block all administrators, including superusers, from exporting the private key.
OCSP Responder	Select an OCSP responder profile from the drop-down (see Device > Certificate Management > OCSP Responder). The corresponding host name appears in the certificate.
Cryptographic Settings
Algorithm	Select a key generation algorithm for the certificate: RSA Elliptic Curve DSA (ECDSA) ML-DSA SLH-DSA ECDSA uses smaller key sizes than the RSA algorithm and, therefore, provides a performance enhancement for processing SSL/TLS connections. ECDSA also provides equal or greater security than RSA. ECDSA is recommended for client browsers and operating systems that support it but you may be required to select RSA for compatibility with legacy browsers and operating systems. The Thales CipherTrust Manager integration with PAN-OS doesn't support ECDSA keys.
(SLH-DSA only) Algorithm Parameters	Select an algorithm parameter for the hash-based signature scheme. The parameters reflect the hashing algorithm (sha or SHAKE), NIST security level (128 bits, 192 bits, or 256 bits of security), and the digital signature size of the scheme.
Number of Bits	Select a key length for the certificate: RSA—512, 1024, 2048, 3072, or 4096 bits If the firewall is in FIPS-CC mode, the RSA key length must be 2048 or 3072 bits. Elliptic Curve DSA—256 or 384 bits ML-DSA—10496, 15616, or 20736 bits SLH-DSA—SHA2 and SHAKE parameter sets
Digest	Select a digest algorithm for the certificate. The available options depend on the key generation Algorithm: RSA—MD5, SHA1, SHA256, SHA384, or SHA512 If the firewall is in FIPS-CC mode, you must select SHA256, SHA384, or SHA512. Elliptic Curve DSA—SHA256 or SHA384 ML-DSA and SLH-DSA—SHA256, SHA384, or SHA512 If you use client certificates for firewall services that rely on TLSv1.2 (such as administrative access to the web interface), don't use the SHA512 digest algorithm. Use SHA384 or lower, or set Max Version to TLSv1.1 in the SSL/TLS service profiles for those services (see Device > Certificate Management > SSL/TLS Service Profile).
Expiration (days)	Specify the number of days (default is 365) that the certificate will be valid. If you specify a Validity Period in a GlobalProtect satellite configuration, that value will override the value entered in this field.
Certificate Attributes	Add additional Certificate Attributes to identify the entity to which you're issuing the certificate. You can add any of the following attributes: Country, State, Locality, Organization, Department, and Email. In addition, you can specify one of the following Subject Alternative Name fields: Host Name (SubjectAltName:DNS), IP (SubjectAltName:IP), and Alt Email (SubjectAltName:email). To add a country as a certificate attribute, select Country from the Type column and then click into the Value column to see the ISO 6366 Country Codes.