Focus

Next-Generation Firewall

Device > Certificate Management > Certificate Profile

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Manage Default Trusted Certificate Authorities

Device > Certificate Management > OCSP Responder

Device > Certificate Management > Certificate Profile

DeviceCertificate ManagementCertificate Profile
PanoramaCertificate ManagementCertificate Profile

Certificate profiles define which certificate authority (CA) certificates to use for verifying client certificates, how to verify certificate revocation status, and how that status constrains access. You select the profiles when configuring certificate authentication for Authentication Portal, GlobalProtect, site-to-site IPSec VPN, Dynamic DNS (DDNS), and web interface access to firewalls and Panorama. You can configure a separate certificate profile for each of these services.

Certificate Profile Settings	Description
Name	(`Required`) Enter a name to identify the profile (up to 63 characters on the firewall or up to 31 characters on Panorama). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location	Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (`firewalls`) or as Panorama. After you save the profile, you can’t change its Location.
Username Field	If GlobalProtect only uses certificates for portal and gateway authentication, the PAN-OS software uses the certificate field you select in the Username Field drop-down as the username and matches it to the IP address for the User-ID service: Subject—The common name. Subject Alt—The Email or Principal Name. None—Typically for GlobalProtect device or pre-login authentication.
Domain	Enter the NetBIOS domain so the PAN-OS software can map users through User-ID.
CA Certificates	(`Required`) Add a CA Certificate to assign to the profile. Optionally, if the firewall uses Online Certificate Status Protocol (OCSP) to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply. By default, the firewall uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a Default OCSP URL (starting with http:// or https://). By default, the firewall uses the certificate selected in the CA Certificate field to validate OCSP responses. To use a different certificate for validation, select it in the OCSP Verify CA Certificate field. In addition, enter a Template Name to identify the template that was used to sign the certificate.
Use CRL	Select this option to use a certificate revocation list (CRL) to verify the revocation status of certificates.
Use OCSP	Select this option to use OCSP to verify the revocation status of certificates. If you select both OCSP and CRL, the firewall first tries OCSP and only falls back to the CRL method if the OCSP responder is unavailable.
CRL Receive Timeout	Specify the interval (1 to 60 seconds) after which the firewall stops waiting for a response from the CRL service.
OCSP Receive Timeout	Specify the interval (1 to 60 seconds) after which the firewall stops waiting for a response from the OCSP responder.
Certificate Status Timeout	Specify the interval (1 to 60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies any session blocking logic you define.
Block session if certificate status is unknown	Select this option if you want the firewall to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall proceeds with the sessions.
Block sessions if certificate status cannot be retrieved within timeout	Select this option if you want the firewall to block sessions after it registers an OCSP or CRL request timeout. Otherwise, the firewall proceeds with the sessions.
Block sessions if the certificate was not issued to the authenticating device	(`GlobalProtect only`) Select this option if you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint. Otherwise, the firewall allows the sessions. This option applies only to GlobalProtect certificate authentication.
Block sessions with expired certificates	Select this option if you want the firewall to block sessions with servers that present expired certificates.

Manage Default Trusted Certificate Authorities

Device > Certificate Management > OCSP Responder

Next-Generation Firewall Docs

Device > Certificate Management > Certificate Profile

Next-Generation Firewall Docs

Device > Certificate Management > Certificate Profile

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner