>
    Strata Copilot
    Generate a Private Key and Block It
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Decryption
    4. Block Private Key Export
    5. Generate a Private Key and Block It
    Download PDF

    Generate a Private Key and Block It

    Table of Contents
    End-of-Life (EoL)

    Generate a Private Key and Block It

    Secure private keys that you generate on PAN-OS devices by blocking key export.
    Block the export of a private key to prevent its misuse after generating a certificate.
    1. Select DeviceCertificate ManagementCertificatesDevice Certificates.
      If there is more than one virtual system, select a Location or Shared for the certificate.
    2. Generate the certificate.
    3. Select Block Private Key Export to prevent anyone from exporting the certificate.
      See Generate a Certificate for information about the other certificate fields.
    4. Click Generate to generate the new certificate.
      You can also generate a certificate and block its private key from export using the operational CLI command: 
      admin@pa-220> request certificate generate block-private-keys yes
      The preceding CLI command can also include the certificate and other parameters that are not shown.

    © 2025 Palo Alto Networks, Inc. All rights reserved.