Obtain and Import Certificates

• Obtain certificates from a trusted third-party CA—You can obtain certificates from trusted third-party certificate authorities (CAs) through a formal request process. This process includes submitting a certificate signing request (CSR) with a server's public key, identifying information about your organization, and the Common Name of the server or website.
  The benefit of obtaining a certificate from a trusted third-party certificate authority (CA) such as VeriSign or GoDaddy is that end clients will already trust the certificate because common browsers include root CA certificates from well-known CAs in their trusted root certificate stores. For applications requiring end clients to establish secure connections with the firewall or Panorama, purchase a certificate from a CA that end clients trust to avoid predeploying root CA certificates to the end clients. Applications this applies to are GlobalProtect™ portal or GlobalProtect Mobile Security Manager. However, most third-party CAs can’t issue signing certificates, making this type of certificate inappropriate for applications, such as SSL/TLS decryption and Large Scale VPN, that require the firewall to issue certificates. See Obtain a Certificate from an External CA.
• Obtain certificates from an enterprise CA—If your organization maintains its own public key infrastructure (PKI), you can import certificates and private keys directly from your enterprise certificate authority (CA). The benefit is that end clients probably already trust the enterprise CA.
  Enterprise CA certificates offer the advantage of automatically issuing certificates for applications such as SSL/TLS decryption or GlobalProtect Large Scale VPN deployments, unlike most third-party commercial certificates. You can either generate the needed certificates and import them onto the firewall, or generate a certificate signing request (CSR) on the firewall and send it to the enterprise CA for signing. A benefit of this method is that the private key doesn't leave the firewall. See Import a Certificate and Private Key.
  If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can automate the generation and distribution of unique client certificates using SCM. See Deploy Certificates Using SCEP.
• Generate self-signed certificates—A self-signed root CA certificate sits at the top of a certificate chain hierarchy. Firewalls can use these certificates to automatically issue subordinate certificates for various purposes, including SSL/TLS decryption and GlobalProtect Large Scale VPN satellites. Before generating a certificate, import or create a self-signed root CA certificate to sign it.
  When you use this method to generate certificates for an application that requires an end client to trust the certificate, end users will see a certificate error because the root CA certificate is not in their trusted root certificate store. To prevent this, deploy the self-signed root CA certificate to all end-user systems. You can deploy the certificates manually or use a centralized deployment method such as an Active Directory Group Policy Object (GPO).
• Acquire a device certificate–For certain cloud services, you'll need to install a device certificate onto your NGFW. Device certificates expire after 90 days. A firewall with the device certificate installed automatically attempts to reinstall the device certificate 15 days before the certificate expires. However, you can manually restore an expired device certificate if it fails to do so automatically.