FAQs

FAQsCertificate Signing Request (CSR)

How to Generate a CSR on a Palo Alto Networks Firewall?

Updated on February 7, 2026

How to Generate a CSR on a Palo Alto Networks Firewall ?

Overview:
Generating a Certificate Signing Request (CSR) on a Palo Alto Networks firewall is a required step for obtaining a trusted SSL/TLS certificate from Sectigo. By creating and submitting a CSR, you ensure your Palo Alto Networks–based services are secured with a validated Sectigo SSL certificate, enabling strong encryption, improved security compliance, and enhanced trust for users accessing your network. This guide walks you through the complete process of generating a Certificate Signing Request (CSR) on a Palo Alto Networks firewall.

Prerequisites
Before you begin, ensure you have the following:

Administrative access to the Palo Alto Networks firewall

A valid Fully Qualified Domain Name (FQDN) for the certificate

Step-by-Step Procedure to generate a CSR on a Palo Alto Networks Firewall

Step 1: Log in to the Palo Alto Networks Dashboard

Open a web browser.

Step 2: Navigate to Certificate Management

Click on the Device tab at the top of the interface.

In the left-hand navigation pane, expand Certificate Management.

Click on Certificates.

Shape

Step 3: Generate a New Certificate Request

Scroll to the bottom of the page.

Click the Generate button.

Shape

Step 4: Enter Certificate Details

In the Generate Certificate window, enter the following information:

Certificate Type: Local

Certificate Name: Enter a friendly name for the certificate (for example: example_ssl_cert)

Common Name (CN): Enter the FQDN you want to secure (e.g., www.yoursite.com)

Note: For a wildcard certificate, prefix the domain name with an asterisk (e.g., *.yoursite.com).

Signed By: Select External Authority (CSR)

Certificate Authority: Leave blank

OCSP Responder: Leave the default setting

Algorithm: RSA or ECDSA

Number of Bits: 2048

Digest: SHA256

Expiration (Days): Leave blank

Shape

Step 5: Add Certificate Attributes

Click Add under Certificate Attributes and provide the following details:

Country: Two-letter ISO country code (e.g., US)

State: Full state name (e.g., Hawaii)

Locality: Full city name (e.g., Honolulu)

Organization: Full legal company name (e.g., Your Company LLC)

Shape

Step 6: Generate the CSR

Review all entered information carefully.

Do not Select certificate authority

Click Generate.

Important: The private key is securely stored on the Palo Alto Networks device and is not exported.

Shape

Step 7: Export the CSR File

On the Certificates page, locate the newly created certificate.

Select the checkbox next to the Certificate Name.

Click Export at the bottom of the page.

Shape

Step 8: Use the CSR for SSL Enrollment

Open the downloaded CSR file using a text editor such as Notepad.

Copy the entire CSR content (including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST).

Paste the CSR into the appropriate field during the SSL certificate enrollment process on Sectigo’s website.

Shape

Important Notes

The private key must not be shared and remains on the Palo Alto Networks system.

If the private key is lost, a new CSR must be generated and a new certificate should be requested.

Ensure the Common Name (CN) exactly matches the FQDN that you are authenticating.

Shape Verification

To confirm the CSR process was successful:

Check that the Certificate Authority accepts the CSR without errors.

After receiving the signed certificate, import it back into the Palo Alto firewall and verify that it appears under Device → Certificate Management → Certificates.

When applied to services (e.g., SSL/TLS on interfaces or GlobalProtect), client can connect to the server without any SSL/TLS related warnings.

Conclusion

You have successfully generated and exported a CSR on the Palo Alto Networks firewall. This CSR can now be used to obtain an SSL/TLS certificate from an external Certificate Authority. Once issued, the certificate can be imported back into the Palo Alto device to enable secure communications.

Shape Related Articles:
Tags: