Installing certificate for PAN-OS 8.0/8.1


Dear Let’s Encrypt community,

We’re trying to obtain SSL certificate for web-gui of our palo alto firewall. I’ve generated CSR file and trying to verify my ownership for one of web-gui firewall portals. As it’s not based on any of the webserver etc and FW has it’s own cli only I can’t verify our ownership of this domain (via e.g. certbot) . Could you please advise and suggest the way we can obtain Let’s Encrypt certification for this FW based portal?

I’ve seen some of the steps for Cisco or Checkpoint FW in the community, but seen nothing for Palo Alto.

My domain is:

I ran this command: ------------

It produced this output: ---------------

My web server is (include version): no web server (it’s PAN-OS palo alto networks FW)

The operating system my web server runs on is (include version): -------------

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): PAN-OS CLI



I’m not known with your OS, but i believe you can use this method below:

If you have any questions, please reply.

Thank you


Hi Steven,
Thanks for your reply. However, I’ve seen this thread and it doesn’t satisfy me at all. I’m waiting for someone who has knowledge about step by step verification of FQDN ownership or sth similar.


Hi @piotrbordo,

It might not be very convenient to use Let’s Encrypt for this device because our certificates only last for 90 days and you may not be able to install certificates automatically. So, you might have to repeat a manual process relatively frequently.

If you can’t post files on a web server, you would be able to obtain a certificate using DNS verification. Do you have an API for your DNS provider? Or you could create a CNAME record for the _acme-challenge subdomain of your name and then point that at another DNS provider that can be updated by API.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.