>
    Strata Copilot
    Obtain a Certificate from an External CA
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Obtain and Import Certificates
    5. Obtain a Certificate from an External CA
    Download PDF
    Next-Generation Firewall

    Obtain a Certificate from an External CA

    Table of Contents

    Obtain a Certificate from an External CA

    Learn how to request, import, and configure a certificate from an external certificate authority.
    The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does not leave the firewall. To obtain a certificate from an external CA, generate a certificate signing request (CSR) and submit it to the CA. After the CA issues a certificate with the specified attributes, import it onto the firewall. The CA can be a well-known, public CA or an enterprise CA.
    To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of the certificate, configure an OCSP responder before generating a CSR.
    1. Request the certificate from an external CA.
      1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
      2. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
      3. Click Generate.
      4. Enter a Certificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
      5. In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
      6. If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the Shared check box.
      7. In the Signed By field, select External Authority (CSR).
      8. If applicable, select an OCSP Responder.
      9. (Optional) Add the Certificate Attributes to uniquely identify the firewall and the service that will use the certificate.
        If you add a Host Name attribute, it should match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.
      10. Click Generate. The Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later) tab displays the CSR with a Status of pending.
    2. Submit the CSR to the CA.
      1. Select the CSR and click Export to save the .csr file to a local computer.
      2. Upload the .csr file to the CA.
    3. Import the certificate.
      1. After the CA sends a signed certificate in response to the CSR, return to the Device Certificates tab and click Import.
      2. Enter the Certificate Name used to generate the CSR.
      3. Enter the path and name of the PEM Certificate File that the CA sent, or Browse to it.
      4. Click OK. The Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later) tab displays the certificate with a Status of valid.
    4. Configure the certificate.
      1. Click the certificate Name.
      2. Select the check boxes that correspond to the intended use of the certificate on the firewall. For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, select the Certificate for Secure Syslog check box.
      3. Click OK and Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.