If your enterprise has its own public key
infrastructure (PKI), you can import a certificate and private key
into the firewall from your enterprise certificate authority (CA).
Enterprise CA certificates (unlike most certificates purchased from
a trusted, third-party CA) can automatically issue CA certificates
for applications such as SSL/TLS decryption or large-scale VPN.
On a Palo Alto Networks firewall or Panorama,
you can import self-signed certificates only if they are CA certificates.
of importing a self-signed root CA certificate into all the client
systems, it is a best practice to import a certificate from the
enterprise CA because the clients will already have a trust relationship
with the enterprise CA, which simplifies the deployment.
the certificate you will import is part of a certificate chain,
it is a best practice to import the entire chain.
From the enterprise CA, export the certificate
and private key that the firewall will use for authentication.
When exporting a private key, you must enter a passphrase
to encrypt the key for transport. Ensure the management system can
access the certificate and key files. When importing the key onto
the firewall, you must enter the same passphrase to decrypt it.
If the firewall has more than one virtual system (vsys),
for the certificate.
and enter a
. The name is case-sensitive and can have up to
63 characters on the firewall or up to 31 characters on Panorama.
It must be unique and use only letters, numbers, hyphens, and underscores.
To make the certificate available to all virtual systems,
check box. This check box
appears only if the firewall supports multiple virtual systems.
Enter the path and name of the
received from the CA, or
find the file.
Encrypted Private Key and Certificate
—This is the default and most common format,
in which the key and certificate are in a single container (
If a hardware security module (HSM) will store the private key for
this certificate, select the
Private key resides on Hardware
Base64 Encoded Certificate (PEM)
must import the key separately from the certificate. If a hardware
security module (HSM) stores the private key for this certificate,
Private key resides on Hardware Security Module
box and skip the next step. Otherwise, select the
check box, enter the
it, then continue to the next step.
Enter and re-enter (confirm) the
to encrypt the private key.
. The Device Certificates
page displays the imported certificate.