Obtain certificates from a trusted third-party CA—The
benefit of obtaining a certificate from a trusted third-party certificate
authority (CA) such as VeriSign or GoDaddy is that end clients will
already trust the certificate because common browsers include root
CA certificates from well-known CAs in their trusted root certificate
stores. Therefore, for applications that require end clients to
establish secure connections with the firewall or Panorama, purchase a
certificate from a CA that the end clients trust to avoid having
to pre-deploy root CA certificates to the end clients. (Some such
applications are a GlobalProtect portal or GlobalProtect Mobile
Security Manager.) However, most third-party CAs cannot issue signing
certificates. Therefore, this type of certificate is not appropriate
for applications (for example, SSL/TLS decryption and large-scale
VPN) that require the firewall to issue certificates. See
Obtain
a Certificate from an External CA.