Focus

Next-Generation Firewall

Generate Certificate (Strata Cloud Manager)

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Generate Certificate (Strata Cloud Manager)

Log in to Strata Cloud Manager.
Select ConfigurationNGFW and Prisma AccessObjectsCertificate Management.
In the Custom Certificates pane, click Generate.
Enter a Certificate Name. The name is case-sensitive and can have up to 63 characters. It must be unique and use only letters, numbers, hyphens, and underscores.
For Common Name, enter the FQDN (recommended) or IP address of the interface where you will configure the service that uses this certificate.
For Signed By, select the root CA certificate that will issue the certificate.
Configure the Cryptographic Settings.
1. Select a key generation Algorithm: RSA (default) or Elliptic Curve DSA (ECDSA). ECDSA is recommended for client browsers and operating systems that support it.
  
  Hardware security modules (HSMs) cannot be used to store private ECDSA keys used for SSL Forward Proxy or SSL Inbound Inspection.
2. Select the Number of Bits to define the certificate key length.
  Higher numbers are more secure but require more processing time.
  
  For RSA, select 512 bits, 1024 bits, 2048 bits, 3072 bits, or 4096 bits.
  
  If the NGFW is in FIPS-CC mode, the RSA keys generated must be either 2048 or 3027 bits.
  
  For ECDSA, select either 256 bits or 4096 bits.
3. Select a Digest algorithm.
  From most to least secure, the options are: sha512, sha384, sha256 (default), sha1, and md5.
  
  For RSA, select md5, sha1, sha256, sha384, or sha512.
  
  If the NGFW is in FIPS-CC mode, you must select sha256, sha384, or sha512.
  
  For Elliptic Curve DSA, select either sha256 or sha384.
  
  Client certificates that are used when requesting firewall services that rely on TLSv1.2 (such as administrator access to the web interface) cannot have sha512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as sha384) or you must limit the Max Version to TLSv1.1 when you configure SSL/TLS service profiles for the firewall services.
4. For Expiration, enter the number of days (default is 365) for which the certificate is valid.
(Optional) Add Certificate Attributes to uniquely identify the firewall and the service that will use the certificate.

If you add a Host Name (DNS name) attribute, match it to the Common Name, because the hostname populates the Subject Alternate Name (SAN) field of the certificate and some browsers require the SAN to specify the domains the certificate protects; in addition, the Host Name matching the Common Name is mandatory for GlobalProtect.
(Optional) Select an OCSP Responder.
Save the certificate.

The certificate displays in the Custom Certificates list.

Next-Generation Firewall Docs

Generate Certificate (Strata Cloud Manager)

Next-Generation Firewall Docs

Generate Certificate (Strata Cloud Manager)

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner