How to Generate a Certificate Signing Request (CSR) With a Multi-level Organizational Unit

Printer Friendly Page


A Certificate Signing Request (CSR) with a multi-level organizational unit can be generated from the CLI using the following command:


> request certificate generate


Here are the options: * are required.
+ ca                   Make this a signing certificate
+ country-code         Country code
+ days-till-expiry     Number of days till expiry
+ digest               Digest Algorithm
+ email                Email address of the contact person
+ filename             file name for the certificate
+ locality             Locality
+ ocsp-responder-url   ocsp-responder-url
+ organization         Organization
+ signed-by            signed-by
+ state                State/province
* algorithm            algorithm
* certificate-name     Name of the certificate object
* name                 IP or FQDN to appear on the certificate
> alt-email            Subject alternate Email type
> hostname             Subject alternate name DNS type
> ip                   Subject alternate name IP type
> organization-unit    Department


Note: in PAN-OS 8.0, the algorithm option is required to generate a CSR.


For example:

> request certificate generate organization-unit [OU1,OU2] signed-by external filename csr-site123 certificate-name site123 name algorithm RSA rsa-nbits 1024


Successfully generated certificate and key pair : site123


The above command will generate a CSR with the following attributes:

Certificate Name: site123

Organizational Units: OU1 and OU2

Common Name:


Inside of the WebGUI: Device > Certificate Management > Certificates > Device Certificates tab

You will see the pending certificate. In order to save the CSR request, click the certificate, then Export:




owner: jteetsel




I have generated the CSR certificate and successfully get signed and imported in the device. And successfully created SSL/TLS profile and made necessary settings in the device setup management category. After all done Am able to get the valid certificate while login using device name but my question is I am unable to get the valid certificate using the FQDN even I used details in generating the certificate.

Ressurecting an older thread to ask: How do you export the CSR from the CLI as well?

I've found how to export certificates (scp export certificate...) but not signing requests.


Anyone know?

@MatthewSabin, I looked and it does not appear that there is an option to export from the CLI for the CSR. Only the WebGUI.
I have re-wrote this article to include the GUI options and screens. I hope this helps.