Certificate Management
Learn about the use and management of keys and certificates to secure network
communications.
Certificate management is the management of digital certificates throughout their
lifecycle to maintain secure network communications. This critical process involves the
generation, storage, protection, deployment, renewal, and revocation of digital
certificates. Monitoring certificate status, receiving alerts for expiring certificates,
and more are key. Effective certificate management ensures that only authorized users
can access resources, minimal downtime and continuity of service.
You can set up certificates, add certificate authorities, add OCSP responders, and define
certificate checks from a single administrative interface. The certificates and settings
you set up in the Certificate Management section on the firewall secure features like
decryption, the Authentication Portal, and the GlobalProtect™ app.
Configure different keys and certificates for each
application.
Palo Alto Networks firewalls and Panorama use certificates in the following
applications:
User authentication for Authentication Portal, multi-factor authentication (MFA),
and web interface access to a firewall or Panorama
Device authentication for GlobalProtect VPN (remote user-to-site or large scale)
and IPSec site-to-site VPN with IKE
External dynamic list validation
User-ID agent and TS agent access
Decrypting inbound and outbound SSL traffic
A firewall decrypts the traffic to apply policy rules, then re-encrypts it before
forwarding the traffic to the final destination. For outbound traffic, the
firewall acts as a forward proxy server, establishing an SSL/TLS connection to
the destination server. To secure a connection between itself and the client,
the firewall uses a
signing certificate to automatically generate a
copy of the destination server certificate.
To manage certificates, select .
For more details on core components of certificates and certificate management, see
Keys and Certificates.
Handled incorrectly, certificate management can lead to major costs for your organization
and major frustration for end users. If you have an Enterprise PKI, generate the Forward
Trust CA certificate for forward proxy traffic from your Enterprise Root CA and import
it into the certificate store on your Next-Generation Firewall. Since the certificate is
part of the root CA, your users’ endpoints trust it automatically, and end users won’t
get frustrating error messages.