End-of-Life (EoL)

Obtain a Certificate from an External CA

The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does not leave the firewall. To obtain a certificate from an external CA, generate a certificate signing request (CSR) and submit it to the CA. After the CA issues a certificate with the specified attributes, import it onto the firewall. The CA can be a well-known, public CA or an enterprise CA.
To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of the certificate, Configure an OCSP Responder
before
generating the CSR.
  1. Request the certificate from an external CA.
    1. Select
      Device
      Certificate Management
      Certificates
      Device Certificates
      .
    2. If the firewall has more than one virtual system (vsys), select a
      Location
      (vsys or
      Shared
      ) for the certificate.
    3. Click
      Generate
      .
    4. Enter a
      Certificate Name
      . The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
    5. In the
      Common Name
      field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
    6. If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the
      Shared
      check box.
    7. In the
      Signed By
      field, select
      External Authority (CSR)
      .
    8. If applicable, select an
      OCSP Responder
      .
    9. (
      Optional
      )
      Add
      the
      Certificate Attributes
      to uniquely identify the firewall and the service that will use the certificate.
      If you add a
      Host Name
      attribute, it is a best practice for it to match the
      Common Name
      (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.
    10. Click
      Generate
      . The Device Certificates tab displays the CSR with a Status of
      pending
      .
  2. Submit the CSR to the CA.
    1. Select the CSR and click
      Export
      to save the .csr file to a local computer.
    2. Upload the .csr file to the CA.
  3. Import the certificate.
    1. After the CA sends a signed certificate in response to the CSR, return to the
      Device Certificates
      tab and click
      Import
      .
    2. Enter the
      Certificate Name
      used to generate the CSR.
    3. Enter the path and name of the PEM
      Certificate File
      that the CA sent, or
      Browse
      to it.
    4. Click
      OK
      . The
      Device Certificates
      tab displays the certificate with a Status of
      valid
      .
  4. Configure the certificate.
    1. Click the certificate
      Name
      .
    2. Select the check boxes that correspond to the intended use of the certificate on the firewall. For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, select the
      Certificate for Secure Syslog
      check box.
    3. Click
      OK
      and
      Commit
      .

Recommended For You