Sectigo Connector for Palo Alto GlobalProtect ("the connector") is a solution for automating the installation of Sectigo certificates on Palo Alto Firewall with Automatic Certificate Management Environment (ACME). The connector is based on the Certbot client.

During this process the ACME client requests an SSL certificate from SCM, converts it to PFX format with a temporary password, uploads the certificate, and changes the SSL/TLS service profile related to the GlobalProtect configuration via script. This method works with both private and public CAs within SCM. This guide was developed based on this blog post.


This guide is intended for IT administrators and network administrators who manage Palo Alto GlobalProtect.


This guide contains instructions for enrolling and managing Sectigo certificates on Palo Alto virtualized firewalls. It doesn’t cover configuration of firewalls.

Execution flow

Sectigo ACME Palo Alto GlobalProtect connector diagram
  1. The ACME client initiates a request from SCM via a public or private ACME enrollment endpoint:

    1. An authentication request is created.

    2. A private key is generated with the corresponding certificate signing request (CSR).

    3. The CSR is uploaded to the ACME endpoint.

  2. The SCM ACME endpoint responds:

    1. The authentication process is completed.

    2. A certificate is generated.

    3. The certificate is sent back to the ACME client.

  3. The machine running the ACME client uploads the PFX file to a Palo Alto firewall:

    1. The certificate, private key, and chain are converted to PFX format.

    2. The PFX file is uploaded to the firewall.

    3. The configuration changes are committed to the firewall.