A self-signed root certificate authority (CA)
certificate is the top-most certificate in a certificate chain.
A firewall can use this certificate to automatically issue certificates
for other uses. For example, the firewall issues certificates for
SSL/TLS decryption and for satellites in a GlobalProtect large-scale
VPN.
When establishing a secure connection with the firewall,
the remote client must trust the root CA that issued the certificate.
Otherwise, the client browser will display a warning that the certificate
is invalid and might (depending on security settings) block the
connection. To prevent this, after generating the self-signed root
CA certificate, import it into the client systems.
On a Palo Alto Networks firewall or Panorama,
you can generate self-signed certificates only if they are CA certificates.