If your enterprise has its own public key
infrastructure (PKI), you can import a certificate and private key
into the firewall from your enterprise certificate authority (CA). Enterprise
CA certificates (unlike most certificates purchased from a trusted, third-party
CA) can automatically issue CA certificates for applications such
as SSL/TLS decryption or large-scale VPN.
On
a Palo Alto Networks firewall or Panorama, you can import self-signed certificates
only if they are CA certificates.
Instead of importing a self-signed
root CA certificate into all the client systems, it is a best practice
to import a certificate from the enterprise CA because the clients
will already have a trust relationship with the enterprise CA, which
simplifies the deployment.
If the certificate you will import
is part of a certificate chain, it is a best practice to import
the entire chain.