>
    Strata Copilot
    Generate a Certificate
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Obtain and Import Certificates
    5. Generate a Certificate
    Download PDF
    Next-Generation Firewall

    Generate a Certificate

    Table of Contents

    Generate a Certificate

    Learn how to generate certificates to authenticate client, servers, users, and devices.
    Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Authentication Portal, GlobalProtect™, site-to-site IPSec VPN, and web interface access to the firewall or Panorama. Generate certificates for each usage: for details, see Keys and Certificates.
    To generate a certificate, first create a self-signed root CA certificate or import one (Import a Certificate and Private Key) to sign it. To use the Online Certificate Status Protocol (OCSP) to verify certificate revocation status, configure an OCSP responder before generating the certificate.

    Generate Certificate (Strata Cloud Manager)

    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
    3. In the Custom Certificates section, click Generate.
    4. Enter a unique Certificate Name.
      The name is case-sensitive and can have up to 63 characters. Use only letters, numbers, hyphens, and underscores.
    5. For Common Name, enter the FQDN (recommended) or IP address of the interface where you will configure the service that uses this certificate.
    6. For Signed By, select the root CA certificate that will issue the certificate.
    7. To allow an NGFW to issue the certificate, enable Certificate Authority.
      Marking this certificate as a CA grants it the ability to sign other certificates.
    8. For Certificate Use for, select Forward Trust Certificate, Forward UnTrust Certificate, or Trusted Root CA.
    9. Configure the Cryptographic Settings.
      1. Select a key generation Algorithm:
        • RSA (default)
        • Elliptic Curve DSA (ECDSA)
          The Thales CipherTrust Manager integration with PAN-OS does not support ECDSA keys.
          ECDSA is recommended for client browsers and operating systems that support it.
        • ML-DSA (PAN-OS 12.1.2 and later)
        • SLH-DSA (PAN-OS 12.1.2 and later)
      2. (SLH-DSA only) Select Algorithm Parameters.
        These parameters define the hash function family (SHA2 or SHAKE), NIST security level (128 bits, 192 bits, or 256 bits), and digital signature size of the scheme.
      3. Select the Number of Bits (certificate key length):
        Higher numbers are more secure but require more processing time.
        SLH-DSA bits are preselected based on the Algorithm Parameters.
        • For RSA, select 512 bits, 1024 bits, 2048 bits, 3072 bits, or 4096 bits.
          If a managed NGFW is in FIPS-CC mode, RSA keys must be either 2048 or 3072 bits.
        • For Elliptic Curve DSA, select either 256 bits or 384 bits.
        • For ML-DSA, select 10496 bits, 15616 bits, or 20736 bits.
      4. Select a Digest algorithm.
        From most to least secure, the options are: sha512, sha384, sha256 (default), sha1, and md5.
        If you use client certificates for firewall services that rely on TLSv1.2, do not select sha512. Use sha384 or lower. If sha512 is required, set Max Version to TLSv1.1 in the SSL/TLS service profiles for the services.
        • For RSA, select md5, sha1, sha256, sha384, or sha512.
          If a managed NGFW is in FIPS-CC mode, you must select sha256, sha384, or sha512.
        • For Elliptic Curve DSA, ML-DSA, or SLH-DSA, select sha256, sha384, or sha512.
      5. For Expiration, enter the number of days (default is 365) the certificate is valid.
    10. (Optional) Add (+) Certificate Attributes to uniquely identify the NGFW and service that uses the certificate.
      If you add a Host Name (DNS name) attribute, match it to the Common Name, because the hostname populates the Subject Alternate Name (SAN) field of the certificate and some browsers require the SAN to specify the domains the certificate protects; in addition, the Host Name matching the Common Name is mandatory for GlobalProtect.
    11. (Optional) Select an OCSP Responder.
    12. Save the certificate.
      The certificate displays in the Custom Certificates list.
    13. To commit your changes, select Push ConfigPush.

    Generate Certificate (PAN-OS and Panorama)

    1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
    2. For Certificate Type, select Local (default) unless you want to deploy .
    3. Enter a unique Certificate Name.
      Names are case-sensitive and can use up to 63 characters on the firewall or 31 characters on Panorama. Use only letters, numbers, hyphens, and underscores.
    4. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
      To share the certificate across all vsys, enable Shared.
    5. For Common Name, enter the FQDN (recommended) or IP address of the interface where you configure the service using this certificate.
    6. For Signed By, select the root CA certificate that will issue the certificate.
    7. To allow the firewall to issue the certificate, enable Certificate Authority.
      Marking this certificate as a CA grants it the ability to sign other certificates on the firewall.
    8. (Optional) Enable Block Private Key Export.
      Enable this setting to prevent the private key from being exported when you export the certificate.
      If you enable this setting, you must manually import the associated private key if you import the certificate to Panorama or to other firewalls. For firewalls managed by Panorama, the private key is required to successfully push configuration changes to managed firewalls that you imported the certificate to.
    9. (Optional) Select an OCSP Responder.
    10. Select a key generation Algorithm:
      • RSA (default)
      • Elliptic Curve DSA (ECDSA)
        The Thales CipherTrust Manager integration with PAN-OS does not support ECDSA keys.
        ECDSA is recommended for client browsers and operating systems that support it.
      • (PAN-OS 12.1.2 and later) ML-DSA
      • (PAN-OS 12.1.2 and later) SLH-DSA
    11. (SLH-DSA only) Select Algorithm Parameters for the hash-based signature scheme.
      These parameters define the hash function family (SHA2 or SHAKE), NIST security level (128 bits, 192 bits, or 256 bits), and digital signature size of the scheme.
    12. Select the Number of Bits to define the certificate key length.
      Higher numbers are more secure but require more processing time.
      SLH-DSA bits are preselected based on the Algorithm Parameters.
      • For RSA, select 512 bits, 1024 bits, 2048 bits, 3072 bits, or 4096 bits.
        If the NGFW is in FIPS-CC mode, the RSA keys generated must be either 2048 or 3072 bits.
      • For Elliptic Curve DSA, select either 256 bits or 384 bits.
      • (PAN-OS 12.1.2 and later) For ML-DSA, select 10496 bits, 15616 bits, or 20736 bits.
    13. Select a Digest algorithm.
      From most to least secure, the options are: sha512, sha384, sha256 (default), sha1.
      If you use client certificates for firewall services that rely on TLSv1.2, do not select sha512. Use sha384 or lower. If sha512 is required, set Max Version to TLSv1.1 in the SSL/TLS service profiles for the services.
      • For RSA, select sha1, sha256, sha384, or sha512.
        If your NGFW is in FIPS-CC mode, you must select sha256, sha384, or sha512.
      • For Elliptic Curve DSA, select sha256, sha384, or sha512.
      • (PAN-OS 12.1.2 and later) For ML-DSA and SLH-DSA, select sha256, sha384, or sha512.
    14. For Expiration, enter the number of days (default is 365) the certificate is valid.
    15. (Optional) Add Certificate Attributes to uniquely identify the firewall and the service that uses the certificate.
      If you add a Host Name (DNS name) attribute, match it to the Common Name, because the hostname populates the Subject Alternate Name (SAN) field of the certificate and some browsers require the SAN to specify the domains the certificate protects; in addition, the Host Name matching the Common Name is mandatory for GlobalProtect.
    16. Click Generate and, in the Device Certificates page, click the certificate Name.
      Regardless of the time zone on the firewall, it always displays the corresponding Greenwich Mean Time (GMT) for certificate validity and expiration dates and times.
    17. Specify the intended use of the certificate.
      For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, enable Certificate for Secure Syslog.
    18. Click OK and Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.