bg-tutorials

How to Install an SSL Certificate on Palo Alto Networks

Last updated on by Denis Graur

In this tutorial, you will learn how to install an SSL certificate on a Palo Alto Networks firewall running PAN-OS. You will import the signed certificate, bind it through an SSL/TLS Service Profile, and apply the change with a Commit.

Generate a CSR code on Palo Alto Networks

We’ll begin with CSR (Certificate Signing Request) generation. A CSR is a request sent to a Certificate Authority to apply for a digital certificate. On Palo Alto Networks, the firewall generates the matching private key on the device at the same time and keeps it there. This is why, later, you import only the signed certificate and leave the key fields blank. You have two options:

Important: If you generated the CSR on the firewall, generate it on the same device where you will install the certificate, and remember the exact Certificate Name you used. PAN-OS matches the signed certificate to the on-device private key by that name. (If instead you generated the CSR and key elsewhere, for example with our CSR Generator, you’ll import the certificate and key together; see Part 2 below.)

Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your SSL certificate, continue with the installation below.

Install an SSL certificate on Palo Alto Networks

After your CA validates the request and emails you the SSL files, you’re ready to install. The process has three parts: prepare the certificate file, import it, then bind it through an SSL/TLS Service Profile and commit.

Part 1: Prepare your SSL certificate file

Download the ZIP archive from your CA and extract your server certificate and the intermediate (CA) certificates. To install on PAN-OS, combine them into a single PEM text file, with your server certificate on top and each intermediate below it:

  1. Open your server (primary) certificate in a plain-text editor and copy the full block, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines.
  2. Paste it into a new plain-text document. Don’t add stray spaces or extra blank lines.
  3. Open your intermediate certificate, copy its content, and paste it directly below the server certificate. Note: if your CA sent more than one intermediate, paste the second intermediate below the first, in chain order.
  4. Save the file with a name that contains no spaces (spaces can cause the import to fail). A .cer, .crt, or .pem extension is fine.

Your finished file should follow this structure:

-----BEGIN CERTIFICATE-----
(Your server / primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA certificate)
-----END CERTIFICATE-----

Tip: The order matters: the server certificate must come first, followed by the intermediate(s) that signed it. Do not include the root certificate; clients already trust it.

Part 2: Import your SSL certificate

  1. Log into the PAN-OS web interface and go to the Device tab.
  2. In the left pane, expand Certificate Management and click Certificates. Stay on the Device Certificates sub-tab.
  3. At the bottom of the screen, click Import.
  4. In the Import Certificate window, in the Certificate Name field, enter the exact same name you used for the CSR. This is how PAN-OS pairs the certificate with the private key already on the firewall.
  5. Set Certificate Type to Local, and set File Format to Base64 Encoded Certificate (PEM).
  6. Click Browse and select the merged certificate file you saved in Part 1. Because the firewall already holds the private key, leave Import private key unchecked and leave the key/passphrase fields blank.
  7. Click OK. The Device Certificates list should now show your certificate with a status of valid.

Generated the CSR and key outside the firewall? Then your private key is not on the device. In that case, import a single PKCS#12 (.pfx/.p12) file that bundles the certificate and key: set File Format to Encrypted Private Key and Certificate (PKCS12), check Import private key, browse to the file, and enter its passphrase. If you only have a separate PEM key, import the PEM certificate first, then check Import private key and add the key file.

Part 3: Bind the certificate with an SSL/TLS Service Profile

Importing the certificate is not enough on its own. A Palo Alto firewall only uses a certificate when it’s referenced by an SSL/TLS Service Profile that is, in turn, attached to a service. This is the step the certificate actually goes live in.

  1. Go to Device → Certificate Management → SSL/TLS Service Profile and click Add.
  2. Enter a Name for the profile (for example, yourdomain-ssl).
  3. In the Certificate dropdown, select the certificate you just imported. (Use a signed server certificate here, not a CA certificate.)
  4. Under Protocol Settings, set Min Version and Max Version. For the management interface and GlobalProtect portals/gateways, TLSv1.3 is supported, so set both to TLSv1.3 where your clients allow it. For other services, use TLSv1.2 as the minimum. Avoid TLSv1.0 and TLSv1.1.
  5. Click OK.

Now attach the profile to the service that needs the certificate:

  • Management web interface (GUI): go to Device → Setup → Management, click the gear icon on General Settings, choose your profile in the SSL/TLS Service Profile dropdown, and click OK.
  • GlobalProtect: open Network → GlobalProtect → Portals (or Gateways), edit the portal/gateway, and select your profile under the portal/gateway configuration’s SSL/TLS Service Profile.
  • Other services (Authentication Portal, URL Admin Override, decryption, etc.) reference the SSL/TLS Service Profile from their own configuration screens.

Part 4: Commit to apply

Nothing takes effect until you commit. Click Commit at the top right, then Commit again to confirm. If you bound the profile to the management interface, PAN-OS restarts the web server. Refresh your browser afterward, and you may briefly lose the GUI connection while it restarts.

Congratulations. Your SSL certificate is now installed and active on Palo Alto Networks. To confirm the result and get an instant status report, use our SSL checker.

Where to buy the best SSL certificate for Palo Alto Networks?

If you’re searching for affordable SSL certificates, SSL Dragon is your best SSL vendor. Our fast and user-friendly website guides you through the entire range of SSL certificates. All our products are signed by trusted Certificate Authorities and are compatible with Palo Alto Networks firewalls.

Get an SSL certificate now

We bring you the best prices on the market and stellar customer support for any certificate you buy. And if you’re struggling to find the perfect cert for your project, our SSL Wizard tool will give you quick suggestions.

Frequently Asked Questions

Why is my certificate imported but the firewall still shows the old certificate?

Importing a certificate does not put it into use. On PAN-OS you must reference it from an SSL/TLS Service Profile and attach that profile to the relevant service (the management interface, a GlobalProtect portal/gateway, and so on), then Commit. Until you do, the firewall keeps serving its previous certificate.

Do I need to import the private key on Palo Alto Networks?

Not if you generated the CSR on the firewall: the private key was created on the device and stays there, so you import only the signed certificate (with the same name as the CSR) and leave the key fields blank. If you generated the CSR and key elsewhere, import a PKCS#12 bundle (certificate plus key) or import the certificate and then the separate key file.

Why must the certificate name match the CSR name?

PAN-OS pairs a signed certificate with its private key by the certificate object name. When you import the certificate under the same Certificate Name you used for the on-device CSR, the firewall automatically matches it to the existing private key. A different name creates a separate object with no key, and the certificate won’t be usable.

How do I combine the certificate and intermediates for PAN-OS?

Open a plain-text editor and paste the certificates end to end: your server certificate first, then each intermediate (CA) certificate below it, including every —–BEGIN CERTIFICATE—– / —–END CERTIFICATE—– line. Save the file with no spaces in the name and import it as Base64 Encoded Certificate (PEM). Don’t include the root certificate.

Which TLS versions should I set in the SSL/TLS Service Profile?

For administrative access to the management interface and for GlobalProtect portals and gateways, PAN-OS supports TLSv1.3; use it as both the minimum and maximum where your clients allow. For other services, set the minimum to TLSv1.2. Avoid the deprecated TLSv1.0 and TLSv1.1 protocols.

How do I verify the SSL certificate is installed on Palo Alto Networks?

In the GUI, check Device → Certificate Management → Certificates. The certificate should show as valid with the correct expiry. After the commit, browse to the service (for example the management URL or your GlobalProtect portal) and inspect the padlock to confirm the new certificate is being served.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Order Now
A detailed image of a dragon in flight
Written by

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.

How to Install SSL
A network icon
Network systems, Firewalls and VPNs
Tutorials