How to Generate a New Self-Signed SSL Certificate

Printer Friendly Page


If you do not want to load your own certificate into the device or use the default self-signed certificate, a new self-signed certificate can be generated through the web interface or CLI.

This new self-signed certificate can be used for SSL Decryption or for a GlobalProtect portal or Gateway Certificates.



1. From the WebGUI, navigate to Device > Certificates.

2. Click Generate at the bottom of the screen.

3. Enter the desired details for the certificate. The details entered here are what users see if they view the CA certificate for an encrypted session using the browser. 
Note: If you would like the certificate to be valid for longer than 365 days (1 year), then please change the "Expiration (days) from 365 to a larger value before creating the certificate.

generate selfsigned cert.pngGenerate a SelfSigned Certificate


4. On the Generate Certificate window, click Generate:

succesfull generation.pngCertificate successfully generated


5. To verify that the certificate was created properly, click on the newly generated certificate.

Note:  If using this certificate for SSL Decryption, please check "Forward Trust Certificate" and "Forward Untrust Certificate". To delete or remove the certificate, uncheck both options, otherwise an error is generated.

certificate properties.pngEnable Forward Trust and Untrust


6. Commit the changes. When the commit operation completes, the Self-Signed CA certificate isinstalled.



From the CLI, to create a new self-signed certificate, run the following command, <all on one line>(PAN-OS 6.1 only)


> request certificate self-signed country-code US email locality Alviso state CA organization “Palo Alto Networks” organization-unit “Session inspected by policy” nbits 1024 name “SSL Inspection” passphrase bubba for-use-by ssl-decryption


For PAN-OS 7.0 and after, a very simple self signed certificate can be created with this command:


> request certificate generate name "Firewall-a" certificate-name "ssl test"


You can always use the <tab> or "?" when in the CLI to see what the next commands can be.



For additional info on CLI commands please see this article:

Get Started with the CLI



owner: jebel


The screen shots don't appear in the document.  

CLI commands don't work in 7.0.1

Screenshots and 7.0 commands have been updated. Please let us know if there is anything else.

The same certificate should not be used for both Forward Trust and Forward Untrust. The firewall will return a certificate back to the client based upon whether the firewall trusts the SSL certificate returned by the server to which the client is connecting. If the server certificate is trusted, the firewall will return to the client the Forward Trust certificate. If the server certificate is untrusted, then the firewall will return the Forward Untrust. The client should implicitly trust the Forward Trust and not trust the Forward Untrust. This way, the client will know that it is attempting to connect to an untrusted server, If the firewall always returns Forward Trust, then the client always trusts it and it will not know why it cannot connect to an untrusted server

Hi team, 


I have a question. Its possible sign the forward untrust certificate for an external CA? like Godaddy, Verising etc..


I mean split the certificate, First certificate signed for interanal CA such us Microsoft Certificate Services or Signed Self by Palo Alto and only enable checkbox Forward trust certificate and an other Certificate signed for Verising and when I import the certificate I enable checkbox Forward Untrust certificate


If is possible, in the common name i have to fill with my public ip address? or use an FQDN?







Hi @Matias_Cova


No this is not possible because essentially this is a man in the middle attack with a fake Certificate Authority

( is signed by instead of a public CA, which allows you to intercept and break encryption)


If you have an active directory with CA you can use this to create/act as CA for your decryption, which will help prevent certificate errors because your clients will trust your CA. 


Public CA's will not be able to act this way as this breaks the reason for trusted CA's to be public in the first place



We are facing issue while exporting the seft signed certificate from PA device.


> Browser page get refreshed when trying to export certificate.

> Tried with all browser there is same issue.

> Restarted the management server still issue not resolved.

> Tried with another system as well as with different OS(Win 7 & Win 10) facing same issue.

> The firewall running with version 7.1.14.





Jitendra Bavkar


Hi @Jitendrab


I don't know why is happening that, but while, you try export the certificate using this CLI command


admin@PA-3020(active)> scp export certificate

You need to add more options to export

+ passphrase
+ remote-port
+ source-ip
* certificate-name
* format
* include-key
* to Destination (username@host:path)

but may be this is a workaround until see what happens with the FW


I hope I have helped