>
    Import a Certificate and Private Key
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Certificate Management
    4. Obtain Certificates
    5. Import a Certificate and Private Key
    Download PDF

    Import a Certificate and Private Key

    Table of Contents
    End-of-Life (EoL)

    Import a Certificate and Private Key

    If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into the firewall from your enterprise certificate authority (CA). Enterprise CA certificates (unlike most certificates purchased from a trusted, third-party CA) can automatically issue CA certificates for applications such as SSL/TLS decryption or large-scale VPN.
    On a Palo Alto Networks firewall or Panorama, you can import self-signed certificates only if they are CA certificates.
    Instead of importing a self-signed root CA certificate into all the client systems, it is a best practice to import a certificate from the enterprise CA because the clients will already have a trust relationship with the enterprise CA, which simplifies the deployment.
    If the certificate you will import is part of a certificate chain, it is a best practice to import the entire chain.
    1. From the enterprise CA, export the certificate and private key that the firewall will use for authentication.
      When exporting a private key, you must enter a passphrase to encrypt the key for transport. Ensure the management system can access the certificate and key files. When importing the key onto the firewall, you must enter the same passphrase to decrypt it.
    2. Select DeviceCertificate ManagementCertificatesDevice Certificates.
    3. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
    4. Click Import and enter a Certificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
    5. To make the certificate available to all virtual systems, select the Shared check box. This check box appears only if the firewall supports multiple virtual systems.
    6. Enter the path and name of the Certificate File received from the CA, or Browse to find the file.
    7. Select a File Format:
      • Encrypted Private Key and Certificate (PKCS12)—This is the default and most common format, in which the key and certificate are in a single container (Certificate File). If a hardware security module (HSM) will store the private key for this certificate, select the Private key resides on Hardware Security Module check box.
      • Base64 Encoded Certificate (PEM)—You must import the key separately from the certificate. If a hardware security module (HSM) stores the private key for this certificate, select the Private key resides on Hardware Security Module check box and skip the next step. Otherwise, select the Import Private Key check box, enter the Key File or Browse to it, then continue to the next step.
        (Panorama managed firewalls) You are required to Import Private Key if you enabled Block Private Key Export when the certificate was generated to successfully push configuration changes from the Panorama management server to managed firewalls.
    8. Enter and re-enter (confirm) the Passphrase used to encrypt the private key.
    9. Click OK. The Device Certificates page displays the imported certificate.

    © 2025 Palo Alto Networks, Inc. All rights reserved.