Generate a Certificate
Focus
Focus

Generate a Certificate

Table of Contents
End-of-Life (EoL)

Generate a Certificate

Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Authentication Portal, GlobalProtect, site-to-site IPSec VPN, and web interface access to the firewall/Panorama. Generate certificates for each usage: for details, see Keys and Certificates.
To generate a certificate, you must first Create a Self-Signed Root CA Certificate or import one (Import a Certificate and Private Key) to sign it. To use Online Certificate Status Protocol (OCSP) for verifying certificate revocation status, Configure an OCSP Responder before generating the certificate.
  1. Select
    Device
    Certificate Management
    Certificates
    Device Certificates
    .
  2. If the firewall has more than one virtual system (vsys), select a
    Location
    (vsys or
    Shared
    ) for the certificate.
  3. Click
    Generate
    .
  4. Select
    Local
    (default) as the
    Certificate Type
    unless you want to deploy SCEP certificates to GlobalProtect endpoints.
  5. Enter a
    Certificate Name
    . The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
  6. In the
    Common Name
    field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
  7. If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the
    Shared
    check box.
  8. In the
    Signed By
    field, select the root CA certificate that will issue the certificate.
  9. (
    Optional
    ) Select whether to
    Block Private Key Export
    .
    Enable this setting to prevent the private key from being exported when you export the certificate.
    If you enable this setting, you must manually import the associated private key if you import the certificate to Panorama or to other firewalls. For firewalls managed by Panorama, the private key is required to successfully push configuration changes to managed firewalls that you imported the certificate to.
  10. (
    Optional
    ) Select an
    OCSP Responder
    .
  11. For the key generation
    Algorithm
    , select
    RSA
    (default) or
    Elliptical Curve DSA
    (ECDSA). ECDSA is recommended for client browsers and operating systems that support it.
    Firewalls that run PAN-OS 6.1 and earlier releases will delete any ECDSA certificates that you push from Panorama™, and any RSA certificates signed by an ECDSA certificate authority (CA) will be invalid on those firewalls.
    You cannot use a hardware security module (HSM) to store ECDSA keys used for SSL/TLS Decryption.
  12. Select the
    Number of Bits
    to define the certificate key length. Higher numbers are more secure but require more processing time.
  13. Select the
    Digest
    algorithm. From most to least secure, the options are:
    sha512
    ,
    sha384
    ,
    sha256
    (default),
    sha1
    , and
    md5
    .
    Client certificates that are used when requesting firewall services that rely on TLSv1.2 (such as administrator access to the web interface) cannot have
    sha512
    as a digest algorithm. The client certificates must use a lower digest algorithm (such as
    sha384
    ) or you must limit the
    Max Version
    to
    TLSv1.1
    when you Configure an SSL/TLS Service Profile for the firewall services.
  14. For the
    Expiration
    , enter the number of days (default is 365) for which the certificate is valid.
  15. (
    Optional
    )
    Add
    the
    Certificate Attributes
    to uniquely identify the firewall and the service that will use the certificate.
    If you add a
    Host Name
    (DNS name) attribute, it is a best practice for it to match the
    Common Name
    , because the host name populates the Subject Alternate Name (SAN) field of the certificate and some browsers require the SAN to specify the domains the certificate protects; in addition, the
    Host Name
    matching the
    Common Name
    is mandatory for GlobalProtect.
  16. Click
    Generate
    and, in the Device Certificates page, click the certificate Name.
    Regardless of the time zone on the firewall, it always displays the corresponding Greenwich Mean Time (GMT) for certificate validity and expiration dates/times.
  17. Select the check boxes that correspond to the intended use of the certificate on the firewall.
    For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, select the
    Certificate for Secure Syslog
    check box.
  18. Click
    OK
    and
    Commit
    .

Recommended For You