A self-signed root certificate authority (CA)
certificate is the top-most certificate in a certificate chain.
A firewall can use this certificate to automatically issue certificates
for other uses. For example, the firewall issues certificates for
SSL/TLS decryption and for satellites in a GlobalProtect large-scale
VPN.
When establishing a secure connection with the firewall,
the remote client must trust the root CA that issued the certificate.
Otherwise, the client browser will display a warning that the certificate
is invalid and might (depending on security settings) block the
connection. To prevent this, after generating the self-signed root
CA certificate, import it into the client systems.
On a Palo Alto Networks firewall or Panorama,
you can generate self-signed certificates only if they are CA certificates.
Select .
If the firewall has more than one virtual system (vsys),
select a Location (vsys or Shared)
for the certificate.
Click Generate.
Enter a Certificate Name, such
as GlobalProtect_CA. The name is case-sensitive
and can have up to 63 characters on the firewall or up to 31 characters
on Panorama. It must be unique and use only letters, numbers, hyphens,
and underscores.
In the Common Name field, enter
the FQDN (recommended) or IP address of the interface where you
will configure the service that will use this certificate.
If the firewall has more than one vsys and you want the
certificate to be available to every vsys, select the Shared check
box.
Leave the Signed By field blank
to designate the certificate as self-signed.
(Required) Select the Certificate
Authority check box.
Leave the OCSP Responder field
blank; revocation status verification doesn’t apply to root CA certificates.
Click Generate and Commit.
