Free Trial
Contact Us

Knowledge Base

Knowledge Base

How to Request and Import a Certificate from an External Certificate Authority (CA) in Panorama / Firewall? 

Updated on February 20, 2026

How to Request and Import a Certificate from an External Certificate Authority (CA) in Panorama / Firewall? 

Overview: 

This guide provides step‑by‑step instructions to generate a Certificate Signing Request (CSR), submit it to an external Certificate Authority (such as Sectigo), import the signed certificate, and configure it for use in Panorama or a Palo Alto Networks firewall. 

Prerequisites 

Before you begin, ensure you have: 

  • Access to Panorama or the Palo Alto Networks firewall with appropriate administrative privileges. 

  • Ability to download and upload files from your workstation (CSR and signed certificate). 

  • Access to the external CA portal (e.g., Sectigo) to submit the CSR and retrieve the issued certificate. 

 

Procedure 

Step 1: Generate the Certificate Signing Request (CSR) 

  1. Navigate to: 
    Device → Certificate Management → Certificates 

  1. Select: 

  • Device Certificates (PAN-OS 11.2 and earlier), or 

  • Custom Certificates (PAN-OS 12.1.0 and later) 

  1. If the firewall has multiple virtual systems, select the appropriate Location 

  1. Click Generate. 

Enter a Certificate Name: 

In the Common Name (CN) field: 

  • Enter the FQDN or 

  • Enter the IP address of the interface where the certificate will be used 

If multiple vsys exist and the certificate should be available to all, select the Shared check box. 

In the Signed By field, select: 
External Authority (CSR) 

(Optional: Add Certificate Attributes to uniquely identify the device and service. 

  • If adding a Host Name, it must match the Common Name. 

  • This is mandatory for GlobalProtect deployments. 

  • The Host Name populates the Subject Alternative Name (SAN) field. 

Click Generate. 

 

The certificate/Certificate request will now appear in: 

  • Device Certificates (PAN-OS 11.2 and earlier), or 

  • Custom Certificates (PAN-OS 12.1.0 and later) 

Status will be shown as Pending. 

 

Step 2: Submit the CSR to the Certificate Authority 

  1. Select the generated CSR. 

  1. Click Export to download the .csr file. 

  1. Submit the .csr file to your external CA for signing. 

 

Step 3: Import the Signed Certificate by Sectigo 

  1. After receiving the signed certificate Issued by Sectigo, return to: 
    Device → Certificate Management → Certificates 

  1. Click on Import. 

  1. Enter the same Certificate Name used during CSR generation. 

  1. Upload the PEM certificate file received/download from the SCM portal  

Use this option from the portal:  

 

  1. Click OK. 

The certificate status will now be displayed as Valid. 

 

 

Step 4: Configure the Certificate for Use (customers part) 

  1. Click on the Certificate Name. 

  1. Select the check boxes corresponding to the intended usage. Examples: 

  • Certificate for Secure Syslog 

  • Certificate for SSL/TLS Service Profile 

  • Certificate for GlobalProtect 

  • Other applicable service options 

  1. Click OK. 

  1. Click Commit to apply the configuration. 

Verification 

  • Ensure the certificate status shows Valid 

  • Confirm the correct expiration date 

The certificate request and installation process are now complete. 
 
 
 
 
 
 
Related Articles: 
Tags: 

Need help?

Need help making a purchase? Contact us today to get your certificate issued right away.

Live chat

Click the button below or click "Chat with an Expert" to start chatting with us now!

Start Chat

Call us today

United States
+1 888 266 6361
France
+33 3 66 72 95 95
Italy
+39 02 4792 1708
Spain
+34 900 838 451
Germany
+49 800 1002328
International
+1 914 732 844

Resources