Palo Alto Networks recommends that you use your enterprise public key infrastructure (PKI) to distribute a certificate and private key in your organization. However, if necessary, you can also export a certificate and private key from the firewall or Panorama. You can use an exported certificate and private key in the following cases:
Export a Certificate and Private Key
Select Device > Certificate Management > Certificates > Device Certificates.
If the firewall has more than one virtual system (vsys), select a Location (a specific vsys or Shared) for the certificate.
Select the certificate, click Export, and select a File Format: Base64 Encoded Certificate (PEM) —This is the default format. It is the most common and has the broadest support on the Internet. If you want the exported file to include the private key, select the Export Private Key check box. Encrypted Private Key and Certificate (PKCS12) —This format is more secure than PEM but is not as common or as broadly supported. The exported file will automatically include the private key. Binary Encoded Certificate (DER) —More operating system types support this format than the others. You can export only the certificate, not the key: ignore the Export Private Key check box and passphrase fields.
Enter a Passphrase and Confirm Passphrase to encrypt the private key if the File Format is PKCS12 or if it is PEM and you selected the Export Private Key check box. You will use this passphrase when importing the certificate and key into client systems.
Click OK and save the certificate/key file to your computer.

Related Documentation