The advantage of obtaining a certificate from
an external certificate authority (CA) is that the private key does
not leave the firewall. To obtain a certificate from an external
CA, generate a certificate signing request (CSR) and submit it to
the CA. After the CA issues a certificate with the specified attributes,
import it onto the firewall. The CA can be a well-known, public
CA or an enterprise CA.
To use Online Certificate Status Protocol
(OCSP) for verifying the revocation status of the certificate, Configure
an OCSP Responder before generating the CSR.
Request the certificate from an external CA.
If the firewall has more than one virtual system (vsys),
for the certificate.
name is case-sensitive and can have up to 63 characters on the firewall
or up to 31 characters on Panorama. It must be unique and use only
letters, numbers, hyphens, and underscores.
the FQDN (recommended) or IP address of the interface where you
will configure the service that will use this certificate.
If the firewall has more than one vsys and you want
the certificate to be available to every vsys, select the
If applicable, select an
to uniquely identify the firewall and the
service that will use the certificate.
If you add a
it is a best practice for it to match the
is mandatory for GlobalProtect). The host name populates the Subject
Alternative Name field of the certificate.
tab displays the CSR with a Status of
Submit the CSR to the CA.
Select the CSR and click
save the .csr file to a local computer.
Upload the .csr file to the CA.
Import the certificate.
After the CA sends a signed certificate
in response to the CSR, return to the
to generate the CSR.
Enter the path and name of the PEM
that the CA sent, or
tab displays the certificate with a Status
Configure the certificate.
Click the certificate
Select the check boxes that correspond to the intended
use of the certificate on the firewall. For example, if the firewall
will use this certificate to secure forwarding of syslogs to an
external syslog server, select the