1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Cloud NGFW for AWS Rulestacks and Rules
    5. Cloud NGFW for AWS Security Rule Objects
    6. Add a Certificate to Cloud NGFW for AWS

    Add a Certificate to Cloud NGFW for AWS

    Cloud NGFW uses certificates to access an intelligent feed and to enable inbound and outbound decryption. These certificates are stored in the AWS Secrets Manager. The when adding certificate to the AWS Secrets Manager for use with Cloud NGFW, the following prerequisites must be met.
    • Certificate added as a key/value pair, with two keys—
      private-key
       and
      public-key
      . For the private key, the value should be the actual key and, for the public-key, the value should be the actual certificate body.
    • A tag with the key
      PaloAltoCloudNGFW
       and value of
      true
      .
    • For outbound certificates, the CA value under the Basic Constraints in the CA certificate must be set to
      true
      .
    • For outbound certificates and when chained certificates are used, you must import the Root CA certificate and Intermediate CA certificate(s) to trust store of the client.
    • If you are using end-entity certificates for decrypting traffic, only the end-entity certificates (both private and public keys) must be stored in the AWS Secrets Manager.
    PKCS1 private key format is not supported on by Cloud NGFW for AWS. PKCS private key format is supported.
    Supported PKCS format:
    -----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
    Unsupported PKCS1 format:
    -----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
    Complete the following procedure to add a certificate for use with Cloud NGFW for AWS.
    1. Add your certificate to the AWS Secrets Manager.
      1. Log in to the AWS console, navigate to the AWS Secrets Manager, and click
        Store a new secret
        .
      2. Select
        Other type of secret
        .
      3. Under
        Key/value pairs
        , create a key called
        private-key
         and another called
        public-key
        .
      4. Paste your entire private key and entire public key in the corresponding field.
      5. Click
        Next
        .
      6. Enter a descriptive
        Secret Name
        .
      7. Add a tag with the Key
        PaloAltoCloudNGFW
         and Value
        true
        .
      8. Click
        Next
        ,
        Next
         again, and
        Store
         to finishing adding your certificate.
    2. Select
      Rulestacks
       and select a previously-created rulestack on which to configure a custom URL category.
    3. Select
      Objects
      Certificate List
      Add Certificate
      .
    4. Enter a descriptive
      Name
       for your certificate.
    5. (
      optional
      ) Enter a description for your certificate.
    6. Enter the
      Certificate ARN
       from the AWS Secrets Manager.
    7. If the certificate is self-signed, check
      Self Signed Certificate
      .
      Inbound decryption does not support self-signed certificates.
    8. Click
      Save
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo