if you found my page seem that Palo Alto KB doesnt help, dont keep regenerate self signed it doesnt help herewith the steps
For Windows user
Setup Open SSL
1. download and install open ssl from Shining Light Production (please donate if it helps)
Then Generate CSR Palo Alto KB
1. Complete the Generate the CSR steps
Back to your laptop/pc start to signed the certificate
1. Open CMD with administrator go to the openssl folder example C:\Program Files\OpenSSL-Win64\bin
2. Type in command -
openssl.exe genrsa -out rootCA.key 2048
3. Type in command -
openssl.exe req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=MY/ST=State/L=City/O=Org/OU=Dept/CN=RootCA"
4. Create an Extensions File. example on the C:\Program Files\OpenSSL-Win64\bin, create a text file name v3_req.txt content as below
[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
save it
5. Download the CSR from Palo Alto and save it to directory openssl bin directory, example C:\Program Files\OpenSSL-Win64\bin
6. type in command just to replace the server.csr to the downloaded CSR name
openssl.exe x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_req.txt
7. Upload the signed certificate to Palo Alto, make sure the certificated name must exactly same as the generated CSR file name.
Able to solve the issue