Next-Generation Firewall
Generate a Private Key and Block It
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Generate a Private Key and Block It
Disable the export of private keys generated on PAN-OS devices to prevent
unauthorized use.
To prevent the misuse of a private key after generating a certificate, you can
permanently block the export of the corresponding private key. You can only enable
the Block Private Key Export option at the time of generating
or importing a certificate onto PAN-OS.
If you generate self-signed certificates on the firewall or Panorama and apply
the block private key export option, you can’t export the certificate and key to
other PAN-OS appliances.
- Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).If there is more than one virtual system, select a Location or Shared for the certificate.Generate the certificate.Select Block Private Key Export to prevent anyone from exporting the certificate.See Generate a Certificate for information about the other certificate fields.Generate the new certificate.You can also generate a certificate and block its private key from export using the operational CLI command:
admin@pa-220> request certificate generate block-private-keys yes
The preceding CLI command can also include the certificate and other parameters that are not shown.