Export a Certificate and Private Key

Palo Alto Networks recommends that you use your enterprise public key infrastructure (PKI) to distribute a certificate and private key in your organization. However, if necessary, you can also export a certificate and private key from the firewall or Panorama. You can use an exported certificate and private key in the following cases:
  1. Select
    Device
    Certificate Management
    Certificates
    Device Certificates
    .
  2. If the firewall has more than one virtual system (vsys), select a
    Location
    (a specific vsys or
    Shared
    ) for the certificate.
  3. Select the certificate, click
    Export
    , and select a
    File Format
    :
    • Base64 Encoded Certificate (PEM)
      —This is the default format. It is the most common and has the broadest support on the Internet. If you want the exported file to include the private key, select the
      Export Private Key
      check box.
    • Encrypted Private Key and Certificate (PKCS12)
      —This format is more secure than PEM but is not as common or as broadly supported. The exported file will automatically include the private key.
    • Binary Encoded Certificate (DER)
      —More operating system types support this format than the others. You can export only the certificate, not the key: ignore the
      Export Private Key
      check box and passphrase fields.
  4. Enter a
    Passphrase
    and
    Confirm Passphrase
    to encrypt the private key if the
    File Format
    is PKCS12 or if it is PEM and you selected the
    Export Private Key
    check box. You will use this passphrase when importing the certificate and key into client systems.
  5. Click
    OK
    and save the certificate/key file to your computer.

Related Documentation