How to Import SSL Certificate to Palo alto Firewall

Steps on how to import SSL Certificate to Palo alto Firewall

Let’s Encrypt SSL Certificate is used in this lab

Generate SSL Certificate from Let,s Encrypt

Refer to Generate Wildcard SSL Certificate from Let’s Encrtpt with Posh-ACME to generate a new wild card SSL Certificate with PowerShell

Preparation of Root & Intermediate Certificate

Open Certificate – Local Computer with certlm.msc and import cert.pfx to Personal – Certificates

Go to Certificate Path – Let’s Encrypt Authority X3 to export the Intermediate Certificate in Base-64 Encoded X.509 (CER) format and store it in C:\Temp\LetsIntermediate.cer

Go to Certificate Path – DST Root CA X3 to export the CA Root Certificate in Base-64 Encoded X.509 (CER) format store it in C:\Temp\LetsRoot.cer

Convert the Root & Intermediate Certificate from CER to PEM format

openssl x509 -in LetsRoot.cer -out LetsRoot.pem
openssl x509 -in LetsIntermediate.cer -out LetsIntermediate.pem

You can download it here which are the PEM files used in this lab

Import SSL Certificate to Palo alto Firewall

Go to Device – Certificate Management – Certificate – Import and import cert.pfx by entering the passphrase

Import both LetsRoot.pem & LetsIntermediate.pem

Imported SSL Certificates are chained properly now

lastly, commit all the changes to firewall

Replace the default SSL Certificate used for Management Interface

Create a new SSL/TLS Service Profile by selecting the SSL Certificate that imported in Device – Certificate Management – Certificate – SSL/TLS Service Profile

Change the SSL/TLS Service Profile for Management Traffic in Device – Management – General Settings and Commit the changes

Login to management interface via https://pa.aventislab.info (FQDN) to verify the new SSL certificate is in used now