How to import a root certificate and private key into the firewall from your enterprise certificate authority (CA)

How to import a root certificate and private key into the firewall from your enterprise certificate authority (CA)

27191
Created On 03/07/22 23:37 PM - Last Modified 05/11/22 20:39 PM


Objective


  • This document provides the steps to import a root certificate and private key into the firewall from your enterprise certificate authority (CA)
  • A similar process applies to Panorama while importing the root ca with a private key

Environment


  • Palo Alto Networks Firewall
  • Palo Alto Networks Panorama
  • Windows Server
  • Certificate Management

Procedure


From the enterprise CA, export the root certificate and private key by following the below steps
  1. Open "Certificate Authority", highlight the CA, from "All Tasks" list, select "Back up CA" option
2022-03-07 17_44_24-SERVER2019.NET-cert.png

   2. On certificate Authority Backup Wizard, select Next to continue.

   3. Items to Back Up wizard below, select  "Private key and CA certificate" check box set the backup location where you wish to place the certificate with a private key

2022-03-07 17_45_10-SERVER2019.NET.png

   4. Enter the password on select a password wizard, this password is required to gain access to the private key and the CA certificate file

2022-03-07 17_45_31-SERVER2019.NET.png

   5. Click on Finish to complete the certification authority backup wizard

2022-03-08 10_17_07-SERVER2019.NET.png
   6. Import the certificate that we have a backup on previous steps on the Firewall by navigating to Select     Device>CertificateManagement>Certificates>Device Certificates

  7. If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate
  
  8. Click Import and enter a Certificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores

  9. To make the certificate available to all virtual systems, select the Shared check box. This check box appears only if the firewall supports multiple virtual systems

 10. Enter the path and name of the Certificate File received from the CA, or Browse to find the file

 11. Select a File Format:
  • Encrypted Private Key and Certificate (PKCS12)—This is the default and most common format, in which the key and certificate are in a single container (Certificate File). If a hardware security module (HSM) will store the private key for this certificate, select the Private key resides on Hardware Security Module check box.
  • Base64 Encoded Certificate (PEM)—You must import the key separately from the certificate. If a hardware security module (HSM) stores the private key for this certificate, select the Private key resides on Hardware Security Module check box and skip the next step. Otherwise, select the Import Private Key check box, enter the Key File or Browse to it, then continue to the next step.
  12. Enter and re-enter (confirm) the Passphrase used to encrypt the private key (Password created on Step 4)

  13. Click OK. The Device Certificates page displays the imported certificate
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NUhCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language