Configure Certificate Based Authentication for IKE: ISSUE Cert

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configure Certificate Based Authentication for IKE: ISSUE Cert

L2 Linker

Hi all,

I config IPSec betwen two PA device: 1 PA5020 and 1 PA

I config as guide: How to Configure Certificate Based Authentication for IKE on PAN-OS 6.0

I generate CA on PA 5020 and import to PA 200

But on PA 200 i can't sign new  Cert with the imported CA certificate.


I try generate all cert on PA 5020 ( root CA & signed CA) and import to PA 200.

But when config IKE gateaway, i can't chose CA


Something wrong, but i don't where

Pls help me



L5 Sessionator

Hi dat.tran

Could you please show us the snapshot of the CA imported ?

Also can you try generating the certificate to be used on PA-200 on PA-5020 itself ?

Hope it helps !

L5 Sessionator


When you exported and imported certificate did you by any chance exported private key also?


Hari Yadavalli

L6 Presenter

Hi Dat,

Make sure you have imported private key of the certificate along with certificate. If that is done for sure you sign another certificate.

Export certificate : make sure you click on private key and put passphrase. Exa; Passphrase is "test123"


Import Certificate : Make sure you click Import Private key. Put above specified passphrase "test123"



Hardik Shah

Thanks for support,

now, i can import and used Cert

But, my tunnel IPSEC can't UP

I don't know what wrong.


My config:

PA 5020

cert 1.PNG

cert 11.PNG






PA 200

p 01.PNG

p 05.PNG

p 07.PNG

Hello dat.tran,

Could you please apply below mentioned CLI command to initiate the tunnel manually:

> test vpn ike-sa gateway XXXXXX

Initiate IKE SA: Total 1 gateways found. 1 ike sa found.

> test vpn ipsec-sa tunnel XXXXXX

Initiate IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

After applying above CLI commands, i would request you to check MOnitor > Logs > System for more detail information (subtype= "vpn")

Hope this helps.


Thanks, Time on PA 200 fault Smiley Sad

Now, IPSEC tunnel is UP>

Thanks for your help :smileygrin:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!