Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a certificate for Palo Alto

Install the certificate

If you have not generated the key on this pplicance, please check the import section below.

It's important to get your certificate with the certification chain. The X509 with chain format (pem-XXXXXXXXXX-XXXXXX.pem) can be downloaded from your certificate status page. Palo Alto requires a special order for the import to work. We offer this as a default. For reference, the required order is:

  1. Your certificate
  2. Intermedaite 1 (signing your certificate)
  3. Intermediate 2 (if provided by the CA)
  4. Any additional intermediate certificate, ordered by signature order

The root certificate can optionally be added but that is not recommended.

To install, to go Device - Certificate Management - Certificates - Device Certificates. If your appliance manages multiple virtual systems (vsys), select the appropriate system via the Location menu. Click Import.

Enter the certificate name you chose during the CSR generation.

Select the PEM file containing the certificate and the certification chain.

Click OK. The certificate is now usable and its state in Device Certificates has been udpated to Valid.

Import the certificate

If your private key hasn't been generated on the same Palo Alto appliance, you will need to follow different steps.

Go to Device - Certificate Management - Certificates - Device Certificates. If the appliance manages multiple virtual systems (vsys), select the appropriate system via the Location menu. Click Import.

Select a unique name for the certificate. If the certificate must be available for multiple vsys, check the Shared box.

Now, select your certificate file. There are two cases:

  • Either, you have a base64/pem-encoded certificate and private key. In this case, you will need the certificate with chain (check the begining on the install section, .pem file downloadable from the certificate status page pem-XXXXXXXXXX-XXXXXX.pem). Then, select the Base64 Encoded Certificate (PEM) format and check Import Private Key. Also select the private key. If it has been generated with Keybot, enter its passphrase in the Passphrase field.
  • Or you have a PKCS#12 certificate. SElect the PKCS#12 file in the upload box, select the Encrypted Private Key and Certificate (PKCS12) type, and enter the PKCS#12 passphrase in the Passphrase field.

Click OK. Your certificate has now ben imported.

Enable the certificate

Now that your certificate has been imported, you will need to enable it.

Click the certificate name in the Device Certificates list. Check boxes will allow you to choose the certificate affectation.

Once your choice has been made, click OK then Commit. Your certificate has now been enabled.

Export your certificate

You may want to export your certificate with its private key. For example as a backup or if you want to install the same certificate on other appliances or servers.

Go to Device - Certificate Management - Certificates - Device Certificates. If your appliance handles multiple virtual systems (vsys), select the appropriate system via the Location menu. Click Export.

Choose your export format. You can either choose PEM (do not forget to checkExport private key ), PKCS#12, and DER (in this case, only the certificate is exportable, not the private key).

Enter a passphrase if necessary (PKCS#12 or if you want to encrypt a PEM private key).

Click OK and save your certificate.

See also