Focus

Next-Generation Firewall

Certificate Management

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Troubleshoot Authentication Issues

Keys and Certificates

Certificate Management

Learn about the use and management of keys and certificates to secure network communications.

Certificate management is the management of digital certificates throughout their lifecycle to maintain secure network communications. This critical process involves the generation, storage, protection, deployment, renewal, and revocation of digital certificates. Monitoring certificate status, receiving alerts for expiring certificates, and more are key. Effective certificate management ensures that only authorized users can access resources, minimal downtime and continuity of service.

You can set up certificates, add certificate authorities, add OCSP responders, and define certificate checks from a single administrative interface. The certificates and settings you set up in the Certificate Management section on the firewall secure features like decryption, the Authentication Portal, and the GlobalProtect™ app.

Configure different keys and certificates for each application.

Palo Alto Networks firewalls and Panorama use certificates in the following applications:

User authentication for Authentication Portal, multi-factor authentication (MFA), and web interface access to a firewall or Panorama
Device authentication for GlobalProtect VPN (remote user-to-site or large scale) and IPSec site-to-site VPN with IKE
External dynamic list validation
User-ID agent and TS agent access
Decrypting inbound and outbound SSL traffic
A firewall decrypts the traffic to apply policy rules, then re-encrypts it before forwarding the traffic to the final destination. For outbound traffic, the firewall acts as a forward proxy server, establishing an SSL/TLS connection to the destination server. To secure a connection between itself and the client, the firewall uses a signing certificate to automatically generate a copy of the destination server certificate.

To manage certificates, select DeviceCertificate Management.

For more details on core components of certificates and certificate management, see Keys and Certificates.

Handled incorrectly, certificate management can lead to major costs for your organization and major frustration for end users. If you have an Enterprise PKI, generate the Forward Trust CA certificate for forward proxy traffic from your Enterprise Root CA and import it into the certificate store on your Next-Generation Firewall. Since the certificate is part of the root CA, your users’ endpoints trust it automatically, and end users won’t get frustrating error messages.

Troubleshoot Authentication Issues

Keys and Certificates

Next-Generation Firewall Docs

Certificate Management

Next-Generation Firewall Docs

Certificate Management

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner