Palo Alto SAML Cert Guide / Okta + Sectigo + PAN-OS

Prepared: April 2, 2026
0% complete

CA-Signed Certificate for Palo Alto SAML Authentication

Complete guide for replacing the self-signed Okta SAML certificate with a Sectigo CA-signed certificate so Palo Alto's "Validate Identity Provider Certificate" option can be enabled.

IdP: Okta
CA: Sectigo
Firewall: Palo Alto (PAN-OS)
Cert Work: Linux Server (OpenSSL)
Key Size: RSA 2048-bit
Prepared: April 2, 2026

Why this is necessary: By default, Okta generates a self-signed certificate for SAML signing. Palo Alto's "Validate Identity Provider Certificate" checkbox requires the SAML assertion to be signed with a CA-issued certificate that chains to a trusted root. Without this, PAN-OS cannot validate the IdP, leaving the SAML integration vulnerable to certificate spoofing.

Your setup: Windows workstations (can't run OpenSSL natively without extra tooling), so all cert generation happens on your Linux server. Sectigo is your CA for signing.

Certificate Flow
Linux Server
— CSR →
Sectigo CA
— Signed Cert →
Linux Server
— .p12 Bundle →
Okta
— Metadata XML →
PAN-OS


Linux generates key + CSR  |  Sectigo signs it  |  PKCS12 uploaded to Okta  |  Updated metadata imported into PAN-OS

1 Phase 1: Generate Private Key + CSR

All commands run on your Linux server. You need OpenSSL installed (it almost certainly is).

Pre-flight check: Run openssl version to confirm OpenSSL is available. Any version 1.1+ is fine.

1.1 Generate the Private Key Linux

Generate a 2048-bit RSA private key. This key never leaves the Linux server until you bundle it for Okta.

# Generate 2048-bit RSA private key openssl genrsa -out okta-saml.key 2048

Protect this file. The private key is the crown jewel. If compromised, anyone can forge SAML assertions. Set restrictive permissions immediately:

chmod 600 okta-saml.key

1.2 Generate the Certificate Signing Request (CSR) Linux

The CSR contains your organization's info and the public key. Sectigo will use this to issue the signed cert.

# Generate CSR from the private key openssl req -new -key okta-saml.key -out okta-saml.csr

You will be prompted for the following fields:

FieldWhat to EnterNotes
Country (C)US2-letter country code
State (ST)Your stateFull name, e.g. "Pennsylvania"
Locality (L)Your citye.g. "Pittsburgh"
Organization (O)Your company legal nameMust match Sectigo account
Org Unit (OU)IT / SecurityOptional, but fill if Sectigo requires
Common Name (CN)yourcompany.okta.comYour Okta org URL
Emailadmin@yourcompany.comOptional
Challenge Password(leave blank — press Enter)Do not set this

One-liner alternative (skip the interactive prompts):

openssl req -new -key okta-saml.key -out okta-saml.csr \ -subj "/C=US/ST=Your State/L=Your City/O=Your Company/OU=IT/CN=yourcompany.okta.com"

1.3 Verify the CSR Linux

Before submitting to Sectigo, verify the CSR is valid and contains the correct info.

# Verify and inspect the CSR openssl req -text -noout -verify -in okta-saml.csr

Confirm:

  • Output says verify OK
  • Subject line shows your correct CN, O, C, ST, L
  • Public Key is 2048 bit

2 Phase 2: Get Sectigo to Sign the Certificate

2.1 Submit CSR to Sectigo Sectigo

  1. Log into your Sectigo Certificate Manager portal
  2. Start a new certificate request
  3. Paste or upload the contents of okta-saml.csr
  4. For certificate type — options depend on your Sectigo subscription:
    • Preferred: "Client Certificate" or "Digital Signing" type (SAML signing doesn't need server auth EKU)
    • Also works: Standard SSL/TLS cert (has more EKUs than needed but will function)
  5. Set the validity period (1 year is standard; check your org's policy)
  6. Complete domain/organization validation as required by Sectigo
  7. Submit and wait for approval

Turnaround time: OV (Organization Validated) certs typically take 1–3 business days. DV (Domain Validated) certs can be minutes. Check which validation level your Sectigo account uses.

2.2 Download the Signed Certificate Sectigo

Once approved, download from Sectigo. You will typically receive:

FileWhat It IsYou Need It For
yourcompany_okta_com.crtYour signed certificateOkta upload + PKCS12 bundle
SectigoRSAOrganizationValidationSecureServerCA.crtIntermediate CA certPKCS12 bundle + PAN-OS import
USERTrustRSAAAACA.crtRoot CA certPAN-OS import (Certificate Profile)

Tip: Rename the files to something sane for easier reference:

mv yourcompany_okta_com.crt okta-saml.crt mv SectigoRSA*.crt sectigo-intermediate.crt mv USERTrust*.crt sectigo-root.crt

2.3 Verify the Certificate Chain Linux

Confirm the signed cert chains properly to the Sectigo root.

# Create a CA bundle (intermediate + root) cat sectigo-intermediate.crt sectigo-root.crt > sectigo-ca-bundle.crt # Verify your cert against the chain openssl verify -CAfile sectigo-ca-bundle.crt okta-saml.crt

Expected output: okta-saml.crt: OK

If verification fails: You may be missing an intermediate cert. Check your Sectigo download — some bundles include multiple intermediates. Make sure all of them are in the CA bundle.

2.4 Create the PKCS12 (.p12) Bundle Linux

Okta requires a PKCS12 file that bundles your private key + signed cert + intermediate chain together.

# Create PKCS12 bundle for Okta import openssl pkcs12 -export \ -out okta-saml.p12 \ -inkey okta-saml.key \ -in okta-saml.crt \ -certfile sectigo-intermediate.crt

You will be prompted for an export password. Write this down — you'll need it when uploading to Okta. This password protects the .p12 file in transit. Use something strong but accessible to your team.

Verify the .p12 was created correctly:

# Inspect the PKCS12 bundle contents openssl pkcs12 -info -in okta-saml.p12 -nokeys

You should see your certificate subject and the Sectigo intermediate listed.

3 Phase 3: Upload Certificate to Okta

3.1 Upload the PKCS12 to Okta Okta Admin

  1. Log into the Okta Admin Console
  2. Navigate to ApplicationsApplications
  3. Find and click your Palo Alto Networks SAML app
  4. Go to the Sign On tab
  5. Scroll to the SAML Signing Certificates section
  6. Click "Upload Certificate" (or "Add Certificate" depending on your Okta version)
  7. Select your okta-saml.p12 file
  8. Enter the export password you set in Phase 2
  9. Click Upload

Alternative path: If you don't see the upload option on the app, navigate to SecurityCertificates to upload at the org level, then assign it to the app.

3.2 Activate the New Certificate Okta Admin

  1. In the SAML Signing Certificates section, you should now see two certs:
    • The original self-signed cert (currently active)
    • Your new Sectigo CA-signed cert (inactive)
  2. Click the Actions dropdown on the new CA-signed cert
  3. Select "Activate"
  4. Deactivate the old self-signed certificate

Downtime warning: Between activating the new cert in Okta and importing the updated metadata into PAN-OS, SAML authentication to Palo Alto will break. Plan this during a maintenance window or when you can immediately proceed to Phase 4.

3.3 Download Updated Metadata Okta Admin

  1. Still on the Sign On tab of the Palo Alto app
  2. Right-click the "Identity Provider metadata" link
  3. Save as okta-metadata.xml

Critical: You MUST re-download the metadata after changing the certificate. The metadata XML embeds the X.509 certificate. If you use old metadata, PAN-OS will still reference the old self-signed cert and validation will fail.

Optional verification — confirm the metadata contains the new cert:

# Check that the cert in metadata matches your new cert grep "X509Certificate" okta-metadata.xml

The base64 blob should differ from what was there before.

4 Phase 4: Configure Palo Alto (PAN-OS)

4.1 Import the CA Certificate Chain PAN-OS

Import the Root CA

  1. DeviceCertificate ManagementCertificates
  2. Click Import
  3. Certificate Name: Sectigo-Root-CA
  4. Certificate File: upload sectigo-root.crt
  5. File Format: PEM (Base64 Encoded Certificate)
  6. Click OK

Import the Intermediate CA

  1. Click Import again
  2. Certificate Name: Sectigo-Intermediate-CA
  3. Certificate File: upload sectigo-intermediate.crt
  4. File Format: PEM
  5. Click OK

Note: You do NOT import the Okta SAML signing cert here — that comes in via the metadata XML. You only import the CA certs that PAN-OS needs to validate the chain.

4.2 Create a Certificate Profile PAN-OS

  1. DeviceCertificate ManagementCertificate Profile
  2. Click Add
  3. Name: Okta-SAML-Cert-Profile
  4. Under CA Certificates, click Add:
    • Select Sectigo-Root-CA
  5. Click Add again (recommended):
    • Select Sectigo-Intermediate-CA
  6. Click OK

Why both? Including the intermediate in the Certificate Profile ensures PAN-OS can build the full chain even if the Okta metadata only includes the end-entity cert (which is common).

4.3 Update the SAML IdP Server Profile PAN-OS

  1. DeviceServer ProfilesSAML Identity Provider
  2. Either edit your existing profile or click Add for a new one
  3. Click "Import"
  4. Select the okta-metadata.xml you downloaded in Phase 3
  5. Check the box: "Validate Identity Provider Certificate"
  6. Click OK

This is the key setting. The "Validate Identity Provider Certificate" checkbox is the entire reason for this process. It tells PAN-OS to verify the SAML response signature against a trusted CA chain instead of blindly trusting any certificate.

4.4 Update the Authentication Profile PAN-OS

  1. DeviceAuthentication Profile
  2. Edit your SAML authentication profile
  3. Ensure these are set:
    • IdP Server Profile: The profile you just updated/created in 4.3
    • Certificate Profile: Okta-SAML-Cert-Profile (from 4.2)
  4. Click OK

4.5 Commit PAN-OS

  1. Click Commit in the top-right of the PAN-OS UI
  2. If using Panorama: also push the configuration to the relevant device groups
  3. Wait for the commit to complete successfully

After commit: SAML authentication is now using the CA-signed certificate. Proceed immediately to Phase 5 to validate.

5 Phase 5: Test & Troubleshoot

5.1 Validation Test PAN-OS

  1. Open an incognito / private browser window (avoids cached sessions)
  2. Navigate to your Palo Alto portal:
    • GlobalProtect Portal: your VPN login page
    • Admin UI: if SAML is enabled for admin access
    • Captive Portal: if using SAML for network auth
  3. You should be redirected to Okta
  4. Authenticate with your Okta credentials
  5. You should be redirected back to Palo Alto and logged in

Success looks like: Normal SSO flow, no certificate errors, landed back in the Palo Alto portal authenticated. The user experience is identical to before — the improvement is invisible (and that's the point).

5.2 Troubleshooting Reference

SymptomLikely CauseFix
"Certificate validation failed" Missing intermediate CA in PAN-OS Certificate Profile Import the Sectigo intermediate cert and add it to the Certificate Profile
SAML loop / never redirects back Metadata not re-imported after cert swap Re-download metadata from Okta (Phase 3.3) and re-import into PAN-OS (Phase 4.3)
"Invalid signature" error Old self-signed cert still active in Okta Verify the CA-signed cert is active and the self-signed is deactivated in Okta
Can't upload .p12 to Okta Wrong export password or key mismatch Recreate the .p12 bundle (Phase 2.4) and verify the password
"Untrusted certificate" in PAN-OS logs Root CA cert not imported into PAN-OS Import sectigo-root.crt into Device → Certificates
Commit fails with certificate error Certificate Profile references a cert that wasn't imported Check that both Sectigo certs show up under Device → Certificates
Where to Find Logs in PAN-OS
  • MonitorLogsSystem — filter for saml or auth
  • MonitorLogsAuthentication — shows SAML auth attempts
  • CLI: show log system subtype eq auth
  • CLI: debug sslmgr view to inspect certificate state
Verify Certificate from CLI

On the PAN-OS CLI, you can check that certs are properly loaded:

# Show all imported certificates > show sslmgr-store certificate # Show SAML IdP config > show authentication saml-idp

Master Checklist

Click each item as you complete it. Progress is saved in your browser.

Phase 1: Generate Key + CSR (Linux Server)

  • Generate RSA 2048-bit private key (okta-saml.key)
  • Set restrictive permissions on key file (chmod 600)
  • Generate CSR with correct org info and Okta CN (okta-saml.csr)
  • Verify CSR — output shows "verify OK" with correct subject

Phase 2: Sectigo Signing

  • Submit CSR to Sectigo portal
  • Complete domain/org validation
  • Download signed cert + intermediate + root
  • Verify certificate chain (openssl verify returns OK)
  • Create PKCS12 bundle (okta-saml.p12) and record export password

Phase 3: Okta Configuration

  • Upload .p12 to Okta Palo Alto SAML app
  • Activate the new CA-signed certificate
  • Deactivate the old self-signed certificate
  • Download updated IdP metadata XML

Phase 4: PAN-OS Configuration

  • Import Sectigo Root CA cert into PAN-OS
  • Import Sectigo Intermediate CA cert into PAN-OS
  • Create Certificate Profile with both CA certs
  • Import updated Okta metadata into SAML IdP Server Profile
  • Enable "Validate Identity Provider Certificate" checkbox
  • Link IdP Server Profile + Certificate Profile in Authentication Profile
  • Commit configuration (and push to device groups if using Panorama)

Phase 5: Validation

  • Test SAML login in incognito browser — redirects to Okta and back
  • Verify no certificate errors in PAN-OS System logs
  • Confirm authentication succeeds for at least one additional test user
  • Document cert expiration date and set renewal reminder