Palo Alto Networks – CSR Generation

To generate a Certificate Signing Request (CSR), a key pair must be created for the server. These two items are a public key and a private key pair and cannot be separated.

When generating your CSR from your Palo Alto Network system your private key will be left on the system.

To generate a CSR for your Palo Alto Network system perform the following.

Step 1: Generating your CSR:

1. Log into your Palo Alto Network system.
2. Go to Device > Certificate Management > Certificates.
   
3. On the bottom of the screen, click Generate.
   
4. In the Generate Certificate window Specify the following:
   1. Certificate Type: Select Local.
   2. Certificate Name: Specify a friendly name for this certificate (save this name for later)  Example domain.com2018
   3. Common Name: Specify the Fully Qualified Domain Name.
   4. Signed By: From the drop down menu, select External Authority (CSR).
   5. Certificate Authority: Leave blank Do NOT check.
   6. OCSP responder: Leave as is default.
   7. Algorithm: Select RSA.
   8. Number of bits: 2048 bits or greater.
   9. Digest: sha256
   10. Expiration (days): Ignore
       1. Certificate Attributes:
          Under Certificate Attributes field you will click Add and specify the following fields as it applies to your organization.
          1. Country: The two letter ISO country code.
          2. State: The business registered state or province (Do not abbreviate).
          3. Locality: The Business registered location (not the actual server location).
          4. Organization: The Registered Organizational Name the certificate belongs to.
5. When everything is set click Generate.
   
6. You will get a confirmation window pop up stating that the keypair csr creation is complete.

Step 2: Exporting your CSR to submit to your Certificate Authority:

1. Click the box nest to the Certificate Name to select the CSR certificate request.
2. Click Export and save the file.
   

Congrats! Your private key pair has now been created on this system. Your CSR request has been created. You will open this file in notepad and copy and paste its contents into the enrollment portal of the Certificate Authority you are getting your SSL Certificate from. 

Note: When submitting a CSR to a CA authority, you may be asked to specify either the type of Web server on which the certificate was created or the type of Web server the certificate is for.  Select Apache (if more than one option with apache is available, choose other).

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

Palo Alto Network Support:

For more information refer to Palo Alto

For a correct set of SSL installation instructions into your Palo Alto Network system click here