Obtain and Import Certificates
Create self-signed root CA certificates, generate and import certificates, obtain
external CA certificates, and more.
You can obtain certificates from your enterprise PKI, external CA or third-party, or generate
one on firewall.
Obtain certificates from a trusted third-party CA—You can obtain certificates from
trusted third-party certificate authorities (CAs) through a formal request process. This
process includes submitting a certificate signing request (CSR) with a server's public
key, identifying information about your organization, and the Common Name of the server or
website.
The benefit of obtaining a certificate from a trusted third-party certificate authority
(CA) such as VeriSign or GoDaddy is that end clients will already trust the certificate
because common browsers include root CA certificates from well-known CAs in their trusted
root certificate stores. For applications requiring end clients to establish secure
connections with the firewall or Panorama, purchase a certificate from a CA that end
clients trust to avoid predeploying root CA certificates to the end clients. Applications
this applies to are GlobalProtect™ portal or GlobalProtect Mobile Security Manager.
However, most third-party CAs can’t issue signing certificates, making this type of
certificate inappropriate for applications, such as SSL/TLS decryption and Large Scale
VPN, that require the firewall to issue certificates. See
Obtain a Certificate from an External CA.
Obtain certificates from an enterprise CA—If your organization maintains its own
public key infrastructure (PKI), you can import certificates and private keys directly
from your enterprise certificate authority (CA). The benefit is that end clients probably
already trust the enterprise CA.
Enterprise CA certificates offer the advantage of automatically issuing certificates for
applications such as SSL/TLS decryption or GlobalProtect Large Scale VPN deployments,
unlike most third-party commercial certificates. You can either generate the needed
certificates and import them onto the firewall, or generate a certificate signing request
(CSR) on the firewall and send it to the enterprise CA for signing. A benefit of this
method is that the private key doesn't leave the firewall. See
Import a Certificate and Private Key.
If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise
PKI, you can automate the generation and distribution of unique client certificates using
SCM. See
Deploy Certificates Using SCEP.
Generate self-signed certificates—A self-signed root CA certificate sits at the
top of a certificate chain hierarchy. Firewalls can use these certificates to
automatically issue subordinate certificates for various purposes, including SSL/TLS
decryption and GlobalProtect Large Scale VPN satellites. Before
generating a
certificate, import or
create a self-signed root CA certificate to sign it.
When you use this method to generate certificates for an application that requires an
end client to trust the certificate, end users will see a certificate error because the
root CA certificate is not in their trusted root certificate store. To prevent this,
deploy the self-signed root CA certificate to all end-user systems. You can deploy the
certificates manually or use a centralized deployment method such as an Active Directory
Group Policy Object (GPO).