How to Generate a CSR (Certificate Signing Request) & Import the Signed Certificate

How to Generate a CSR (Certificate Signing Request) & Import the Signed Certificate

Created On 09/25/18 19:02 PM - Last Updated 02/07/19 23:50 PM
Cortex Data Lake Panorama

PAN-OS includes a feature to create a Certificate Signing Request (CSR). This feature can create a Certificate Signing Request (CSR) for sending to a public third-party Certificate Authority like Verisign, Globalsign, Entrust, and so on...



Generate the CSR

  1. Go to Device > Certificate Management > Certificates.
    Certificate screen 1 - 6.0.pngCertificate screen in PAN-OS 6.0,6.1 and 7.0Certificate screen 1 - 7.1.pngCertificate screen in PAN-OS 7.1
  2. Click 'Generate' at the bottom of the screen.
    Certificate screen 2 - 6.0.pngPAN-OS 6.0, 6.1 and 7.0Certificate screen 2 - 7.1.pngPAN-OS 7.1
  3. Fill in the Certificate Name (save this name for later), Common Name (usually the FQDN), and select "External Authority (CSR)" for Signed By.
    Note: Do not select 'Certificate Authority.'
    Certificate screen 3 - 7.1.pngPAN-OS 7.1 Generate Certificate screen
  4. Complete the remaining details such as Country, Organization, and so on. Check with the Certificate Authority (CA) about their requirements for Certificate Attribute formatting and criteria. Click Generate to create the CSR.

  5. You should see the confirmation window when this is complete.
    Certificate screen 4 - 7.1.pngCertificate confirmation window - PAN-OS 7.1


Export the CSR

You will need to export the CSR to send to a third-party CA for signature:

  1. Click the check box next to the Certificate Name or any whitespace on that line to select it.
    Certificate screen 5 - 7.1.pngExporting CSR on PAN-OS 7.1
  2. Click Export and save the file.


  3. Send the exported CSR to a third-party Certificate Authority. The CA will respond with a signed certificate.


Import the Signed Certificate

  1. Note the name, including capitalization, of the certificate to import. (This must match the CSR request from above.)
  2. Click the Import option at the bottom of the screen.
    Certificate screen 6 - 7.1.pngImport certificate option PAN-OS 7.1
  3. In the Import Certificate dialog, type the name of the pending certificate. It must match exactly.
    Certificate screen 7 - 7.1.pngImport Certificate window PAN-OS 7.1
  4. Click browse to select the signed certificate received from the Certificate Authority and click OK.
    (Note: Do not click the Import Private Key check box as the private key is already on the firewall).

  5. Depending on the certificate authority used, it may be necessary to chain the intermediate certificate with the server certificate and import it before completing this step.
    For more information, refer to: How to Install a Chained Certificate Signed by a Public CA.


  6. Click OK. The certificate now appears valid and the key check box is selected. (CA checkbox will remain empty as it is not valid for this example.)


A new, third-party signed certificate can now be used for GlobalProtect or any other function.


owner: gwesson.

  • Print
  • Copy Link

Choose Language