Create a Self-Signed Root CA Certificate
A self-signed root certificate authority (CA) certificate is the top-most certificate in a certificate chain. A firewall can use this certificate to automatically issue certificates for other uses. For example, the firewall issues certificates for SSL/TLS decryption and for satellites in a GlobalProtect large-scale VPN.
When establishing a secure connection with the firewall, the remote client must trust the root CA that issued the certificate. Otherwise, the client browser will display a warning that the certificate is invalid and might (depending on security settings) block the connection. To prevent this, after generating the self-signed root CA certificate, import it into the client systems.
On a Palo Alto Networks firewall or Panorama, you can generate self-signed certificates only if they are CA certificates.
- Select DeviceCertificate ManagementCertificatesDevice Certificates.
- If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
- Click Generate.
- Enter a Certificate Name, such as GlobalProtect_CA. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
- In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
- If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the Shared check box.
- Leave the Signed By field blank to designate the certificate as self-signed.
- (Required) Select the Certificate Authority check box.
- Leave the OCSP Responder field blank; revocation status verification doesn’t apply to root CA certificates.
- Click Generate and Commit.
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Import a Certificate and Private Key
Import a Certificate and Private Key If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into ...
Certificate Deployment The basic approaches to deploy certificates for Palo Alto Networks firewalls or Panorama are: Obtain certificates from a trusted third-party CA —The benefit ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
About Certificate Deployment
About Certificate Deployment There are two basic approaches to deploying certificates for GlobalProtect LSVPN: Enterprise Certificate Authority —If you already have your own enterprise certificate ...
Configure SSL Forward Proxy
SSL Forward Proxy decryption enables the firewall to see potential threats in outbound encrypted traffic and apply security protections against those threats. ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Deploy Shared Client Certificates for Authentication
Deploy Shared Client Certificates for Authentication To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all ...
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...