This guide shows you how to generate a CSR (Certificate Signing Request) on a Palo Alto Networks firewall running PAN-OS. You create the request in the web interface under Device > Certificate Management > Certificates, set Signed By to External Authority (CSR), then export the request to send to your Certificate Authority. The private key is created at the same time and stays on the firewall: it is not included when you export the CSR.
Generate the CSR on Palo Alto Networks
Follow the steps below. The menu labels match current PAN-OS releases; one tab name changed in PAN-OS 12.1, which is noted where it matters.
Step 1: Open Certificate Management
- Log in to your Palo Alto Networks firewall web interface.
- Select the Device tab. In the left pane, expand Certificate Management and click Certificates.
- Make sure you are on the Device Certificates tab. In PAN-OS 12.1.0 and later this tab is named Custom Certificates; the steps are the same.
Step 2: Open the Generate Certificate window
Click Generate at the bottom of the screen. The Generate Certificate window opens. Enter the following details.
- Certificate Type: select Local. This keeps the request and its private key on the firewall.
- Certificate Name: a label to identify the certificate on the firewall, for example yoursite.com 2026. This is an internal name only; it does not have to match the domain.
- Common Name: the fully qualified domain name (FQDN) you want to secure, for example
yoursite.com. For a wildcard certificate, put an asterisk in front of the domain, for example*.yoursite.com. - Signed By: select External Authority (CSR) from the drop-down. This is the setting that produces a CSR for a public CA rather than a self-signed certificate.
- Certificate Authority: leave this checkbox clear. It applies only when the firewall itself acts as a CA.
- OCSP Responder: leave the default.
- Algorithm: RSA (or ECDSA if your CA and clients support it).
- Number of Bits: 2048 for RSA. 2048 is the minimum public CAs accept; you can choose 3072 or 4096 for a larger key.
- Digest: sha256.
- Expiration (days): leave blank. The validity period is set by the CA when it issues the certificate, not by the firewall.
Step 3: Add the Certificate Attributes
Under Certificate Attributes, click Add for each entry and fill in your organization details:
- Country: the two-letter ISO country code, for example
US. - State: the full name of the state or region where your company is registered, for example Hawaii.
- Locality: the full name of the city, for example Honolulu.
- Organization: the full legal name of your company, for example Your Company LLC.
If your certificate must cover more than one host name, add a Host Name attribute for each name. PAN-OS writes these into the Subject Alternative Name (SAN) field of the request. The first Host Name should match the Common Name, because public CAs validate and present certificates by their SAN entries.
Step 4: Generate the request
Check the information you entered, then click Generate. A message confirms that the CSR and the matching private key were created. The new entry appears on the Device Certificates tab with a Status of pending.
Export the CSR
- Tick the checkbox next to the pending certificate Name.
- Click Export at the bottom of the page and save the request file to your computer.
Open the exported file with any plain-text editor, such as Notepad. The contents start with -----BEGIN CERTIFICATE REQUEST----- and end with -----END CERTIFICATE REQUEST-----. During SSL enrollment, copy the whole block, including those two lines, into the CSR box on your SSL vendor’s order page.
The private key never leaves the firewall, so do not delete the pending entry while you wait for the signed certificate. The firewall needs that entry to pair the issued certificate with its key when you import it later.
Check the CSR before you submit it
It is worth confirming the request contains the right domain and organization details before you place the order. If you have OpenSSL on any machine, decode the exported file with:
openssl req -noout -text -in request.csr
Check that the Common Name, the SAN entries, and the organization fields are correct. If anything is wrong, generate a new CSR on the firewall rather than editing the file: any change to the text invalidates the signature. Without OpenSSL, you can paste the exported request into our online CSR decoder to confirm the same fields.
You can also generate a CSR outside the firewall with our CSR Generator if you prefer to prepare the request details in a browser.
After the CA issues your certificate
Once the CA validates the CSR and issues your SSL certificate, return to the same Certificates screen, select the pending entry, and import the signed file to complete the process. The full procedure is in our guide on how to install an SSL certificate on Palo Alto Networks.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


