Who rated this post

The Key checkbox remains unchecked and the CSR remains pending because you did not import the signed certificate correctly. You must import the signed certificate with the certificate object name exactly the same as the CSR you generated. The file name of the CSR and signed certificate does not matter.

You generate a CSR to be signed by clicking the "Generate" button at the bottom of the Device->CertificateManagement->Certificates screen and then fill out the relevant information:

Certificate Name:  MyCert

Common Name:  myserver.example.com

Signed By:  External Authority (CSR)

....

When you click the "Generate" button in the Generate Certificate window the output CSR will, by default, be named "cert_MyCert.csr". You can rename the file to anything you want when saving/before submitting to your certificate authority for signing. The content of the CSR matters, not the filename.

After your certificate authority has returned your signed certificate you need to import it to match the CSR previously generated. They may give you a file named "cert_MyCert.cer" or it may be completely different like "myserver_20230715_signed.cer". Again the file name doesn't matter. You click the Import button at the bottom of the Certificates screen and enter the Certificate Name exactly as you did when generating the CSR:

Certificate Name:  MyCert

Certificate File:  myserver_20230715_signed.cer

File format:  Base64 Encoded Certificate (PEM)

...

The PaloAlto will now attempt to match the signed certificate to the previously generated "MyCert" CSR object.

• If the signed certificate fails to match the CSR you will get a duplicate certificate name error or mismatch public/private key error.
• If you give a different Certificate Name than you used when you generated the CSR, the imported certificate will not be matched against the CSR, it will be imported as a stand alone certificate (for verifying the identity of other devices, not signing local communications).
• If the signed certificate matches the CSR then the pending CSR will change to a certificate with a key with a valid status.

1) If you have imported the signed certificate with a different Certificate Name than the CSR your generated (and it hasn't matched/has no private key), delete the certificate and reimport with the same object name as the CSR. Don't delete the CSR object as you can't recover that unless you have previously exported it with the private key.

2) If your imported signed certificate has a key mismatch with the CSR, then either the signed certificate is not from the CSR or the file has been corrupted (or the signing authority tried to change certificate fields). Make sure you are importing a PEM file (ASCII base64-encoded) and your certificate authority has not sent you a DER file (Windows binary-encoded). Also make sure you did not create multiple CSRs and you are trying to import a signed certificate against the wrong CSR (i.e. you signed the wrong one).

3) Also note: If you are signing your CSR with a private certificate authority (i.e. your own internal corporate certificate infrastructure), you need to import the certificate authority chain before importing the signed certificate (if your CA provides a chain in the signed certificate this may not be necessary). Once the CSR is signed it will appear under the certificate chain.

See the KnowledgeBase for creating a CSR and importing the signed certificate:

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClSx