To get started we will install acme.sh:
curl https://get.acme.sh | sh
Next we will use acme.sh to issue the certificates:
./acme.sh --issue -d [domainname] -d [subdomain.domain] --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
Once the above command runs, the output will include a list of txt records to be added to dns for each domain and sub-domain on the certificate. Add the required txt records to public DNS and wait for them to propagate. Next, run the below command to generate the certificates:
./acme.sh --renew -d [dominname] -d [subdomain.domain] --yes-I-know-dns-manual-mode-enough-go-ahead-please
This will verify the txt records and proceed to issue your certificate. The certificate will be in the output as well as paths to the cert, key, intermediate and full chain.
Browse to the folder named the same as the domain you requested the certificate for and find you’re new certificates.
Finally, we will use OpenSSL to create the pfx file needed to upload to the Palo Alto firewall:
openssl pkcs12 -export -out certname.pfx -inkey keyname.key -in certname.cer -certfile ca.cer
When prompted, enter and confirm a password for the new PFX file. You can now take this newly created pfx file and upload it to the firewall.