Palo Alto VM-Series Firewall: Let’s Encrypt certificate

PAN-OS only allows you to generate self-signed certificates or already import existing ones. To use a Let’s Encrypt certificate, you need to request it on another device, and therefore we can only use DNS as validation.

AWS Route53 is used as a DNS provider, we will use Certbot to obtain a certificate, we also need an installed and configured awscli

Certificate request

Installing the necessary software (in this example, the macOS system was used):

brew install certbot awscli
pip3 install certbot-dns-route53

Configure awscli:

awscli configure


Minimum permissions for DNS validation

AWS IAM Policy:

  "Version": "2012-10-17",
  "Id": "certbot-dns-route53",
  "Statement": [
      "Effect": "Allow",
      "Action": [
      "Resource": [
      "Effect": "Allow",
      "Action": [
      "Resource": [

Where "YOURDOMAINZONEID" – ID your hosted zone


Requesting a certificate

Certbot on macOS requires root privileges

sudo certbot certonly \
  --register-unsafely-without-email \
  --dns-route53 \

Where "" is the domain name for the requested certificate


Since we executed Certbot as root, we will copy the necessary files to the home directory and change the owner

sudo cp /etc/letsencrypt/live/{fullchain,privkey}.pem ~/
sudo chown artem:staff ~/{fullchain,privkey}.pem

Now you can proceed to import the certificate



To import a certificate, go to "Device" -> "Certificate Management" -> "Certificates" -> "Device Certificates" and click "Import"

  • Certificate File: fullchain.pem
  • Import Private Key: check the box
  • Key File: privkey.pem
  • Passphrase: random password (will not be used anywhere else)

We check the status of the certificate and make sure that the "Key" field is checked.

Next, we need to create a profile, for this we go to "Device" -> "Certificate Management" -> "SSL/TLS Service Profile" and click "Add". We select our imported certificate and specify the name and requirements for TLS versions.

It remains to specify the profile for the management connection. Go to "Device" -> "Setup" -> "Management Settings" and click on the "gear". Set a domain name and select an SSL/TLS profile.

And finally only left to apply and save the changes, for this, in the upper right corner, click on the "Commit" button

After a few minutes, you can connect to the WebUI by domain name using the HTTPS protocol


Don’t forget to create a DNS record pointing to your firewall



To import a certificate for GlobalProtect, you need to follow all the same steps and specify the required profile when configuring the portal and gateway.

Tagged: Tags

Notify of

Inline Feedbacks
View all comments