Certificate Management
Focus
Focus
Next-Generation Firewall

Certificate Management

Table of Contents

Certificate Management

Learn about the use and management of keys and certificates to secure network communications.
Certificate management is the management of digital certificates throughout their lifecycle to maintain secure network communications. This critical process involves the generation, storage, protection, deployment, renewal, and revocation of digital certificates. Monitoring certificate status, receiving alerts for expiring certificates, and more are key. Effective certificate management ensures that only authorized users can access resources, minimal downtime and continuity of service.
You can set up certificates, add certificate authorities, add OCSP responders, and define certificate checks from a single administrative interface. The certificates and settings you set up in the Certificate Management section on the firewall secure features like decryption, the Authentication Portal, and the GlobalProtect™ app.
Configure different keys and certificates for each application.
Palo Alto Networks firewalls and Panorama use certificates in the following applications:
  • User authentication for Authentication Portal, multi-factor authentication (MFA), and web interface access to a firewall or Panorama
  • Device authentication for GlobalProtect VPN (remote user-to-site or large scale) and IPSec site-to-site VPN with IKE
  • External dynamic list validation
  • User-ID agent and TS agent access
  • Decrypting inbound and outbound SSL traffic
    A firewall decrypts the traffic to apply policy rules, then re-encrypts it before forwarding the traffic to the final destination. For outbound traffic, the firewall acts as a forward proxy server, establishing an SSL/TLS connection to the destination server. To secure a connection between itself and the client, the firewall uses a signing certificate to automatically generate a copy of the destination server certificate.
To manage certificates, select DeviceCertificate Management.
For more details on core components of certificates and certificate management, see Keys and Certificates.
Handled incorrectly, certificate management can lead to major costs for your organization and major frustration for end users. If you have an Enterprise PKI, generate the Forward Trust CA certificate for forward proxy traffic from your Enterprise Root CA and import it into the certificate store on your Next-Generation Firewall. Since the certificate is part of the root CA, your users’ endpoints trust it automatically, and end users won’t get frustrating error messages.