PAN-OS includes a feature to create a Certificate Signing Request (CSR). This feature can create a Certificate Signing Request (CSR) for sending to a public third-party Certificate Authority like Verisign, Globalsign, Entrust, and so on...
Generate the CSR
Go to Device > Certificate Management > Certificates.
Click 'Generate' at the bottom of the screen.
Fill in the Certificate Name (save this name for later), Common Name (usually the FQDN), and select "External Authority (CSR)" for Signed By. Note:Do not select 'Certificate Authority.'
Complete the remaining details such as Country, Organization, and so on. Check with the Certificate Authority (CA) about their requirements for Certificate Attribute formatting and criteria. Click Generate to create the CSR.
You should see the confirmation window when this is complete.
Export the CSR
You will need to export the CSR to send to a third-party CA for signature:
Click the checkbox next to the Certificate Name or any whitespace on that line to select it.
Note: Newer PAN-OS will display Export Certificate instead of Export
Click Export or Export Certificate and save the file.
Send the exported CSR to a third-party Certificate Authority. The CA will respond with a signed certificate.
Import the Signed Certificate
Note the name, including capitalization, of the certificate to import. (This must match the CSR request from above.)
Click the Import option at the bottom of the screen.
In the Import Certificate dialog, type the name of the pending certificate. It must match exactly.
Click browse to select the signed certificate received from the Certificate Authority and click OK. (Note: Do not click the Import Private Key checkbox as the private key is already on the firewall).