Add a Certificate to Cloud NGFW for AWS
Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. These certificates are stored in the AWS Secrets Manager. The when adding certificate to the AWS Secrets Manager for use with Cloud NGFW, the following prerequisites must be met.
- Certificate added as a key/value pair, with two keys—private-keyandpublic-key. For the private key, the value should be the actual key and, for the public-key, the value should be the actual certificate body.
- A tag with the keyPaloAltoCloudNGFWand value oftrue.
- For outbound certificates, the CA value under the Basic Constraints in the CA certificate must be set totrue.
- For outbound certificates and when chained certificates are used, you must import the Root CA certificate and Intermediate CA certificate(s) to trust store of the client.
- If you are using end-entity certificates for decrypting traffic, only the end-entity certificates (both private and public keys) must be stored in the AWS Secrets Manager.
PKCS1 private key format is not supported on by Cloud NGFW for AWS. PKCS private key format is supported.
Supported PKCS format:
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
Unsupported PKCS1 format:
-----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Complete the following procedure to add a certificate for use with Cloud NGFW for AWS.
- Add your certificate to the AWS Secrets Manager.
- Log in to the AWS console, navigate to the AWS Secrets Manager, and clickStore a new secret.
- SelectOther type of secret.
- UnderKey/value pairs, create a key calledprivate-keyand another calledpublic-key.
- Paste your entire private key and entire public key in the corresponding field.
- Enter a descriptiveSecret Name.
- Add a tag with the KeyPaloAltoCloudNGFWand Valuetrue.
- ClickNext,Nextagain, andStoreto finishing adding your certificate.
- SelectRulestacksand select a previously-created rulestack on which to configure a custom URL category.
- Select.ObjectsCertificate ListAdd Certificate
- Enter a descriptiveNamefor your certificate.
- (optional) Enter a description for your certificate.
- Enter theCertificate ARNfrom the AWS Secrets Manager.
- If the certificate is self-signed, checkSelf Signed Certificate.Inbound decryption does not support self-signed certificates.
Recommended For You
Recommended videos not found.