01. Import your certificate to Paloalto Firewall. You can use either pfx(certificate and key in single file) format or pem(certificate and key in 2 different file) format.
Option1(pfx format)
Navigate to Device>Certificate Management>Certificates>Import
Option2(pem format)
*Paloalto only accept encrypted pem key
Navigate to Device>Certificate Management>Certificates>Import
02. Confirm the certificate has been imported successfully and the key column has check mark.
03.Navigate to Device>Certificate Management>SSL/TLS Service Profile>Add. Give it a name of your choice and from drop down menu of certificate select the certificate you just imported.
04. Navigate to Device>Setup>Management, click gear icon on General Settings and from drop down menu of SSL/TLS Service Profile select the profile name you create on step 03.
05. Commit the changes and wait for web service restart.
06. After web service restart, you can confirm https is working and browser doesn’t complain about certificate.
If you need to convert your certificate, below are 2 usefully conversion commands.
pem to pfx
openssl pkcs12 -inkey <inkey.pem> -in <cert.pem> -export -out <cert.pfx> 
unencrypted pem key to encrypted pem key
Key using ECDSA algorithm
openssl ec -aes192 -inkey <privatekey.pem> -out <encryptedkey.pem>Key using RSA algorithm
openssl rsa -inkey <privatekey.pem> -out <encryptedkey.pem>