Palo Alto Networks Knowledgebase: How to Generate a New Self-Signed SSL Certificate

How to Generate a New Self-Signed SSL Certificate

Created On 09/25/18 19:36 PM - Last Updated 02/07/19 23:58 PM


If you do not want to load your own certificate into the device or use the default self-signed certificate, a new self-signed certificate can be generated through the web interface or CLI.

This new self-signed certificate can be used for SSL Decryption or for a GlobalProtect portal or Gateway Certificates.



1. From the WebGUI, navigate to Device > Certificates.

2. Click Generate at the bottom of the screen.

3. Enter the desired details for the certificate. The details entered here are what users see if they view the CA certificate for an encrypted session using the browser. 
Note: If you would like the certificate to be valid for longer than 365 days (1 year), then please change the "Expiration (days) from 365 to a larger value before creating the certificate.

generate selfsigned cert.pngGenerate a SelfSigned Certificate


4. On the Generate Certificate window, click Generate:

succesfull generation.pngCertificate successfully generated


5. To verify that the certificate was created properly, click on the newly generated certificate.

Note:  If using this certificate for SSL Decryption, please check "Forward Trust Certificate" and "Forward Untrust Certificate". To delete or remove the certificate, uncheck both options, otherwise an error is generated.

certificate properties.pngEnable Forward Trust and Untrust


6. Commit the changes. When the commit operation completes, the Self-Signed CA certificate isinstalled.



From the CLI, to create a new self-signed certificate, run the following command, <all on one line>(PAN-OS 6.1 only)


> request certificate self-signed country-code US email locality Alviso state CA organization “Palo Alto Networks” organization-unit “Session inspected by policy” nbits 1024 name “SSL Inspection” passphrase bubba for-use-by ssl-decryption


For PAN-OS 7.0 and after, a very simple self signed certificate can be created with this command:


> request certificate generate name "Firewall-a" certificate-name "ssl test"


You can always use the <tab> or "?" when in the CLI to see what the next commands can be.



For additional info on CLI commands please see this article:

Get Started with the CLI



owner: jebel

  • Print
  • Copy Link

Choose Language