Export a Certificate and Private Key

1. Select DeviceCertificate ManagementCertificatesDevice Certificates.
2. If the firewall has more than one virtual system (vsys), select a Location (a specific vsys or Shared) for the certificate.
3. Select the certificate, click Export, and select a File Format:

   • Base64 Encoded Certificate (PEM)—This is the default format. It is the most common and has the broadest support on the Internet. If you want the exported file to include the private key, select the Export Private Key check box.
   • Encrypted Private Key and Certificate (PKCS12)—This format is more secure than PEM but is not as common or as broadly supported. The exported file will automatically include the private key.
   • Binary Encoded Certificate (DER)—More operating system types support this format than the others. You can export only the certificate, not the key: ignore the Export Private Key check box and passphrase fields.
4. Enter a Passphrase and Confirm Passphrase to encrypt the private key if the File Format is PKCS12 or if it is PEM and you selected the Export Private Key check box. You will use this passphrase when importing the certificate and key into client systems.

   (Panorama managed firewalls) If you enabled Block Private Key Export when you generated or imported the certificate, you must be sure to Import Private Key and add the key File when you import the exported certificate. This is required to successfully push configuration changes from Panorama to managed firewalls that you imported the certificate to.
5. Click OK and save the certificate/key file to your computer.