Sectigo Palo Alto GlobalProtect Integration Overview

The Sectigo Palo Alto GlobalProtect Integration guide provides instructions for automating the installation of Sectigo certificates on a Palo Alto Firewall with Automatic Certificate Management Environment (ACME). This process will request an SSL certificate from SCM with ACME, convert it to pfx format with temporary password, upload the certificate and change the SSL/TLS Service Profile related to the GlobalProtect configuration via script. This guide was developed based on this blog post. This method was tested with Private and Public CAs within SCM.

Certificate Request Flow

Sectigo ACME Palo Alto GlobalProtect Integration diagram
  1. The ACME client initiates request from SCM via a Public or Private ACME Enrollment Endpoint:

    1. An authentication request is created.

    2. A private key is generated with the corresponding CSR

    3. The CSR is uploaded to the ACME endpoint.

  2. The SCM ACME endpoint responds:

    1. The authentication process is completed.

    2. A certificate is generated.

    3. The certificate is sent back to the client.

  3. The machine running ACME client uploads PFX to Palo Alto firewall:

    1. The certificate, private key, and chain are converted to the PFX format.

    2. The PFX file is uploaded to the firewall.

    3. The configuration changes are committed to the firewall.