Import a Private Key and Block It
Focus
Focus

Import a Private Key and Block It

Table of Contents

Import a Private Key and Block It

Secure private keys that you import into PAN-OS devices by blocking key export.
Block the export of a private key to prevent its misuse after importing a certificate.
  1. Select DeviceCertificate ManagementCertificates, then Device Certificates.
    If there is more than one virtual system, select a Location or Shared for the certificate.
  2. Import the certificate.
  3. Select Import Private Key to activate the option to block private key export.
  4. Select Block Private Key Export to prevent anyone from exporting the certificate.
    See Import a Certificate and Private Key for information about the other certificate import fields.
  5. Click OK to import the certificate.
    If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:
    • admin@pa-220> scp import private-key block-private-key ...
    Each of the preceding CLI commands can also include keywords to specify the source, the certificate name, and other parameters that are not shown.
    If you use the SCP operational CLI command to export a certificate and include its private key (scp export certificate passphrase <phrase> remote-port <1-65536> to <destination> certificate-name <name> include-key <yes | no> format <der | pem | pkcs10 | pkcs12>), and if the certificate’s private key is blocked, the command fails and returns an error message because you cannot export a blocked private key.