Obtain a Certificate from an External CA
The advantage of obtaining a certificate from an external certificate authority (CA) is that the private key does not leave the firewall. To obtain a certificate from an external CA, generate a certificate signing request (CSR) and submit it to the CA. After the CA issues a certificate with the specified attributes, import it onto the firewall. The CA can be a well-known, public CA or an enterprise CA.
To use Online Certificate Status Protocol (OCSP) for verifying the revocation status of the certificate, Configure an OCSP Responder before generating the CSR.
- Request the certificate from an external CA.
- Select DeviceCertificate ManagementCertificatesDevice Certificates.
- If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
- Click Generate.
- Enter a Certificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
- In the Common Name field, enter the FQDN (recommended) or IP address of the interface where you will configure the service that will use this certificate.
- If the firewall has more than one vsys and you want the certificate to be available to every vsys, select the Shared check box.
- In the Signed By field, select External Authority (CSR).
- If applicable, select an OCSP Responder.
- (Optional) Add the Certificate
Attributes to uniquely identify the firewall and the
service that will use the certificate.If you add a Host Name attribute, it should match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.
- Click Generate. The Device Certificates tab displays the CSR with a Status of pending.
- Submit the CSR to the CA.
- Select the CSR and click Export to save the .csr file to a local computer.
- Upload the .csr file to the CA.
- Import the certificate.
- After the CA sends a signed certificate in response to the CSR, return to the Device Certificates tab and click Import.
- Enter the Certificate Name used to generate the CSR.
- Enter the path and name of the PEM Certificate File that the CA sent, or Browse to it.
- Click OK. The Device Certificates tab displays the certificate with a Status of valid.
- Configure the certificate.
- Click the certificate Name.
- Select the check boxes that correspond to the intended use of the certificate on the firewall. For example, if the firewall will use this certificate to secure forwarding of syslogs to an external syslog server, select the Certificate for Secure Syslog check box.
- Click OK and Commit.
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Manage Firewall and Panorama Certificates
Manage Firewall and Panorama Certificates Device > Certificate Management > Certificates > Device Certificates Panorama > Certificate Management > Certificates Select Device Certificate Management Certificates ...
Deploy Shared Client Certificates for Authentication
Deploy Shared Client Certificates for Authentication To confirm that an endpoint user belongs to your organization, you can use the same client certificate for all ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Renew a Certificate
Renew a Certificate If a certificate expires, or soon will, you can reset the validity period. If an external certificate authority (CA) signed the certificate ...
Other Supported Actions to Manage Certificates
Other Supported Actions to Manage Certificates After you generate the certificate, its details display on the page and the following actions are available: Other Supported ...
Change a Client Certificate
Change a Client Certificate Complete the following task to replace a client certificate. Obtain or generate the device certificate. You can deploy certificates on Panorama ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Configure SSL Forward Proxy
SSL Forward Proxy decryption enables the firewall to see potential threats in outbound encrypted traffic and apply security protections against those threats. ...