Palo Alto Networks Knowledgebase: How to Generate a Certificate Signing Request (CSR) With a Multi-level Organizational Unit

How to Generate a Certificate Signing Request (CSR) With a Multi-level Organizational Unit

Created On 08/05/19 20:23 PM - Last Updated 08/05/19 20:36 PM


A Certificate Signing Request (CSR) with a multi-level organizational unit can be generated from the CLI using the following command:


> request certificate generate


Here are the options: * are required.
+ ca                   Make this a signing certificate
+ country-code         Country code
+ days-till-expiry     Number of days till expiry
+ digest               Digest Algorithm
+ email                Email address of the contact person
+ filename             file name for the certificate
+ locality             Locality
+ ocsp-responder-url   ocsp-responder-url
+ organization         Organization
+ signed-by            signed-by
+ state                State/province
* algorithm            algorithm
* certificate-name     Name of the certificate object
* name                 IP or FQDN to appear on the certificate
> alt-email            Subject alternate Email type
> hostname             Subject alternate name DNS type
> ip                   Subject alternate name IP type
> organization-unit    Department


Note: in PAN-OS 8.0, the algorithm option is required to generate a CSR.


For example:

> request certificate generate organization-unit [OU1,OU2] signed-by external filename csr-site123 certificate-name site123 name algorithm RSA rsa-nbits 1024


Successfully generated certificate and key pair : site123


The above command will generate a CSR with the following attributes:

Certificate Name: site123

Organizational Units: OU1 and OU2

Common Name:


Inside of the WebGUI: Device > Certificate Management > Certificates > Device Certificates tab

You will see the pending certificate. In order to save the CSR request, click the certificate, then Export:




owner: jteetsel

  • Print
  • Copy Link

Choose Language