How to Generate a Certificate Signing Request (CSR) With a Multi-level Organizational Unit

Details

A Certificate Signing Request (CSR) with a multi-level organizational unit can be generated from the CLI using the following command:

> request certificate generate

Here are the options: * are required.
+ ca                   Make this a signing certificate
+ country-code         Country code
+ days-till-expiry     Number of days till expiry
+ digest               Digest Algorithm
+ email                Email address of the contact person
+ filename             file name for the certificate
+ locality             Locality
+ ocsp-responder-url   ocsp-responder-url
+ organization         Organization
+ signed-by            signed-by
+ state                State/province
* algorithm            algorithm
* certificate-name     Name of the certificate object
* name                 IP or FQDN to appear on the certificate
> alt-email            Subject alternate Email type
> hostname             Subject alternate name DNS type
> ip                   Subject alternate name IP type
> organization-unit    Department

Note: in PAN-OS 8.0, the algorithm option is required to generate a CSR.

For example:

> request certificate generate organization-unit [OU1,OU2] signed-by external filename csr-site123 certificate-name site123 name site123.paloaltonetworks.com algorithm RSA rsa-nbits 1024

Successfully generated certificate and key pair : site123

The above command will generate a CSR with the following attributes:

Certificate Name: site123

Organizational Units: OU1 and OU2

Common Name: site123.paloaltonetworks.com

Inside of the WebGUI: Device > Certificate Management > Certificates > Device Certificates tab

You will see the pending certificate. In order to save the CSR request, click the certificate, then Export:

owner: jteetsel