09-01-2025 11:25 PM
Dear all,
I have a certificate issued by the CA.
Now this certificate is for Palo Alto machine at a customer site. We don’t have access to those devices.
Now the manager asked to me first use OpenSSL tool to generate a Private key and test the certificate for SSL/TLS service profile on our own device and make sure the certificate is working.
Now when I use the OpenSSL to generate a combined certificate and key together.
when I upload the final combined cert with the .crt and .pem file into the Palo Alto machine I does not upload first and second it doesn’t appear under the SSL/TLS profile.
can anyone help me fix the issue please.
i really need support because we need to use the certificate tmrw at the customer site.
Thank you.
Best Regards,
Shah.
09-04-2025 05:17 AM
Hi @m.shah.alizada2000 ,
Can you give more details on the upload process ?
Are you getting any errors/logs while trying to upload the file ?
I've seen these kind of problem happening when a wrong format was used.
When key and certificate are combined into one file make sure you're using the PKCS12 format:
Source: https://docs.paloaltonetworks.com/ngfw/administration/certificate-management/certificate-deployment/...
Hope this helps,
-Kim.
09-04-2025 08:02 PM
Dear Kiwi,
I am very sorry I explained things that way.
Tbh I misunderstood the topic, let me clearly explain everything here for you. So, you get what is going on and can help me with that.
Now I work at an IT Service Company, we have a palo alto machine which acts as VPN gateway for our clients. our clients are businesses and organizations.
Our clients they have their own Palo Alto machine which uses our certificate (under our domain name) to connect to the VPN gateway and get access to ISPs and resources.
Now recently one of our clients certificate has expired (I will attach a screenshot for you). They come to us to provide them with a new certificate. Now we sent the CSR to the CA and they signed and returned the CA, but here I have a couple of questions:
1. We generated the CSR in our own palo alto machine where the private key is kept inside our palo alto machine, how is that going to work in the clients machine?
2. even when used the same cert with our Palo alto machine the certificate couldn't be used for connecting to the gateway?
Previously we have a senior IT tech who could help us with this issues.
Now I am completely stuck here on how to get it done and make the customer receive our cert and restore their SSL VPN Connection and most importantly restore their connection to the ISP.
I would really appreciate it, if you could help me sattle this down.
Thank you.
Best Regards,
Shah.
09-05-2025 12:43 AM
for 1. if you generated the CSR locally, you'll need to import the csr response locally and then export the certificate from the palo (WITH private key) and send that to the customer.
2. it needs to be shared to the customer
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
