Palo Alto SSL Certificate Upgrade


  • Obtain the PFX (PKCS12) file containing the new certificate and private key.
  • Obtain the password for the PFX file from the team handling certificates.
  • Use a compatible browser for the Palo Alto Firewall’s web interface, with Firefox being recommended.


  1. Log in to the Palo Alto Firewall Web Interface:
    • Open Firefox (or another compatible browser) and log in to your Palo Alto Firewall.
  2. Navigate to Certificates:
    • Go to Device > Certificate Management > Certificates.
  3. Import the PFX File:
    • Click on Import.
  4. Fill in the Import Details:
    • Certificate Type: Select Local.
    • Certificate Name: Enter the same name as the certificate you are replacing to ensure seamless replacement.
    • Certificate File: Browse to the location of the PFX file.
    • File Format: Select Encrypted Private Key and Certificate (PKCS12).
    • Passphrase: Enter the password for the PFX file.
    • pa-ssl-upgrade1
  5. Import the Certificate:
    • Click OK to import the certificate.
  6. Verify the Certificate:
    • Ensure the new certificate is listed and that the details are correct.
  7. Commit the Configuration:
    • Click on Commit to apply the changes.
  8. Validate the New Certificate:
    • Verify that the new certificate is installed correctly and is being used for the relevant services.
    • Test the services that use the certificate to ensure they are functioning correctly.

Best Practices:

  1. Backup Existing Certificates:
    • Before making any changes, back up the current certificates and configurations.
  2. Intermediate Certificates:
    • Ensure that any intermediate certificates required by the new certificate are also installedThis can be done by importing them in the Device > Certificate Management > Certificates section.
  3. Testing:
    • If possible, test the new certificate in a staging environment before applying it in production.
  4. Monitoring:
    • After the new certificate is installed and committed, monitor the services to ensure there are no issues.


Commit the config and ensure everything is working as expected.

By following these steps and best practices, you should be able to upgrade your third-party certificate on a Palo Alto Firewall smoothly and ensure continuity of service.