For web-gui access to the Palo Alto Networks firewall, you can choose a certificate on the firewall for all web-based management sessions.
Create new or select existing SSL/TLS Profile to be used
Firewall: Device> SSL/TLS Service Profile
Panorama: Panorama> SSL/TLS Service Profile
Click Add
Name: Enter name of the profile
Certificate: Select the certificate to use
Protocol Settings: Choose your preference
Device (or Panorama)>Setup>Management
Click the Gear icon on General tab
Click the drop-down on SSL/TLS Service Profile and select your profile
Click OK
Commit (NOTE: The web server process will restart and you will need to log back in)
Navigate to GUI: Device > Setup > Management > General Settings > SSL/TLS Service Profile. From the dropdown select the above configured SSL/TLS service profile.
NOTE: After committing the changes the webserver daemon responsible for the web-gui will be restarted and you will lose connectivity to the WEB GUI. You will need to login to the WEB GUI again. Then you will see the new certificate configured from the above steps being utilized as the certificate for web-management.
For an HA deployment, Certificates and SSL/TLS service profiles are not synced if it's referenced in system specific configuration (i.e. management access) that are not synced. To update the certificate on the Secondary-Passive firewall, create a new SSL/TLS service profile with a unique name and associate it with the firewall.