End-of-Life (EoL)

Create a Self-Signed Root CA Certificate

A self-signed root certificate authority (CA) certificate is the top-most certificate in a certificate chain. A firewall can use this certificate to automatically issue certificates for other uses. For example, the firewall issues certificates for SSL/TLS decryption and for satellites in a GlobalProtect large-scale VPN.
When establishing a secure connection with the firewall, the remote client must trust the root CA that issued the certificate. Otherwise, the client browser will display a warning that the certificate is invalid and might (depending on security settings) block the connection. To prevent this, after generating the self-signed root CA certificate, import it into the client systems.
On a Palo Alto Networks firewall or Panorama, you can generate self-signed certificates only if they are CA certificates.
  1. Select
    Certificate Management
    Device Certificates
  2. If the firewall has more than one virtual system (vsys), select a
    (vsys or
    ) for the certificate.
  3. Click
  4. Enter a
    Certificate Name
    , such as
    . The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
  5. In the
    Common Name
    field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
  6. If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the
    check box.
  7. Leave the
    Signed By
    field blank to designate the certificate as self-signed.
  8. (
    ) Select the
    Certificate Authority
    check box.
  9. Leave the
    OCSP Responder
    field blank; revocation status verification doesn’t apply to root CA certificates.
  10. Click

Recommended For You