End-of-Life (EoL)

Obtain a Certificate from an External CA

The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does not leave the firewall. To obtain a certificate from an external CA, generate a certificate signing request (CSR) and submit it to the CA. After the CA issues a certificate with the specified attributes, import it onto the firewall. The CA can be a well-known, public CA or an enterprise CA.
To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of the certificate, Configure an OCSP Responder
generating the CSR.
  1. Request the certificate from an external CA.
    1. Select
      Certificate Management
      Device Certificates
    2. If the firewall has more than one virtual system (vsys), select a
      (vsys or
      ) for the certificate.
    3. Click
    4. Enter a
      Certificate Name
      . The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
    5. In the
      Common Name
      field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
    6. If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the
      check box.
    7. In the
      Signed By
      field, select
      External Authority (CSR)
    8. If applicable, select an
      OCSP Responder
    9. (
      Certificate Attributes
      to uniquely identify the firewall and the service that will use the certificate.
      If you add a
      Host Name
      attribute, it is a best practice for it to match the
      Common Name
      (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.
    10. Click
      . The Device Certificates tab displays the CSR with a Status of
  2. Submit the CSR to the CA.
    1. Select the CSR and click
      to save the .csr file to a local computer.
    2. Upload the .csr file to the CA.
  3. Import the certificate.
    1. After the CA sends a signed certificate in response to the CSR, return to the
      Device Certificates
      tab and click
    2. Enter the
      Certificate Name
      used to generate the CSR.
    3. Enter the path and name of the PEM
      Certificate File
      that the CA sent, or
      to it.
    4. Click
      . The
      Device Certificates
      tab displays the certificate with a Status of
  4. Configure the certificate.
    1. Click the certificate
    2. Select the check boxes that correspond to the intended use of the certificate on the firewall. For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, select the
      Certificate for Secure Syslog
      check box.
    3. Click

Recommended For You