Generate a Certificate
Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web interface access to the firewall/Panorama. Generate certificates for each usage: for details, see Keys and Certificates.
To generate a certificate, you must first Create a Self-Signed Root CA Certificate or import one (Import a Certificate and Private Key) to sign it. To use Online Certificate Status Protocol (OCSP) for verifying certificate revocation status, Configure an OCSP Responder before generating the certificate.
- Select DeviceCertificate ManagementCertificatesDevice Certificates.
- If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
- Click Generate.
- Select Local (default) as the Certificate Type unless you want to deploy SCEP certificates to GlobalProtect endpoints.
- Enter a Certificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
- In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
- If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the Shared check box.
- In the Signed By field, select the root CA certificate that will issue the certificate.
- (Optional) Select an OCSP Responder.
- For the key generation Algorithm,
select RSA (default) or Elliptical
Curve DSA (ECDSA). ECDSA is recommended for client browsers
and operating systems that support it.Firewalls that run PAN-OS 6.1 and earlier releases will delete any ECDSA certificates that you push from Panorama™, and any RSA certificates signed by an ECDSA certificate authority (CA) will be invalid on those firewalls.
- Select the Number of Bits to define the certificate key length. Higher numbers are more secure but require more processing time.
- Select the Digest algorithm. From
most to least secure, the options are: sha512, sha384, sha256 (default), sha1,
and md5.Client certificates that are used when requesting firewall services that rely on TLSv1.2 (such as administrator access to the web interface) cannot have sha512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as sha384) or you must limit the Max Version to TLSv1.1 when you Configure an SSL/TLS Service Profile for the firewall services.
- For the Expiration, enter the number of days (default is 365) for which the certificate is valid.
- (Optional) Add the Certificate
Attributes to uniquely identify the firewall and the
service that will use the certificate.If you add a Host Name (DNS name) attribute, it is a best practice for it to match the Common Name, because the host name populates the Subject Alternate Name (SAN) field of the certificate and some browsers require the SAN to specify the domains the certificate protects; in addition, the Host Name matching the Common Name is mandatory for GlobalProtect.
- Click Generate and, in the Device
Certificates page, click the certificate Name.Regardless of the time zone on the firewall, it always displays the corresponding Greenwich Mean Time (GMT) for certificate validity and expiration dates/times.
- Select the check boxes that correspond to the intended
use of the certificate on the firewall.For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, select the Certificate for Secure Syslog check box.
- Click OK and Commit.
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...
Obtain a Certificate from an External CA
Obtain a Certificate from an External CA The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does ...
Create a Self-Signed Root CA Certificate
Create a Self-Signed Root CA Certificate A self-signed root certificate authority (CA) certificate is the top-most certificate in a certificate chain. A firewall can use ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Deploy Server Certificates to the GlobalProtect LSVPN Compo...
Deploy Server Certificates to the GlobalProtect LSVPN Components The GlobalProtect LSVPN components use SSL/TLS to mutually authenticate. Before deploying the LSVPN, you must assign an ...
Obtain the CA Certificate for the Panorama Controller
Obtain the Certificate Authority on the Panorama™ Controller to secure communication with the Panorama Nodes. ...
Certificate Deployment The basic approaches to deploy certificates for Palo Alto Networks firewalls or Panorama are: Obtain certificates from a trusted third-party CA —The benefit ...
Configure an SSL/TLS Service Profile
Configure an SSL/TLS Service Profile Palo Alto Networks firewalls and Panorama use SSL/TLS service profiles to specify a certificate and the allowed protocol versions for ...