How to Generate a New Self-Signed SSL Certificate

How to Generate a New Self-Signed SSL Certificate

109869
Created On 09/25/18 19:36 PM - Last Modified 02/17/21 16:53 PM


Symptom
  • If you do not want to load your own certificate into the device or use the default self-signed certificate, a new self-signed certificate can be generated through the web interface or CLI.
  • This new self-signed certificate can be used for SSL Decryption or for a GlobalProtect portal or Gateway Certificates.


Environment
  • PAN-OS 7.1 and above.
  • Palo Alto Firewall.
  • Self Signed Certificate generation.


Resolution

Steps

  1. From the WebGUI, navigate to Device > Certificates.
  2. Click Generate at the bottom of the screen.
  3. Enter the desired details for the certificate. The details entered here are what users see if they view the CA certificate for an encrypted session using the browser. 

Note: If you would like the certificate to be valid for longer than 365 days (1 year), then please change the "Expiration (days) from 365 to a larger value before creating the certificate.

generate selfsigned cert.png

 

  1. On the Generate Certificate window, click Generate:

succesfull generation.png
Certificate successfully generated

 

  1. To verify that the certificate was created properly, click on the newly generated certificate.

Note:  If using this certificate for SSL Decryption, then the options "Forward Trust Certificate" and "Forward Untrust Certificate" are used. It is important to use different certificates as "Forward Trust Certificate" and "Forward Untrust Certificate". The reason for this is that otherwise, hosts will always be presented with a certificate they trust, even when the server presented the firewall with an invalid certificate. For the sake of simplicity both selections are shown below.

To delete or remove the certificate, uncheck both options, otherwise, an error is generated.

Forward trust or untrust selection

  1. Commit the changes. When the commit operation completes, the Self-Signed CA certificate is installed.

 



Additional Information

For additional info on CLI commands please see this article:

Get Started with the CLI



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cla8CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language