>
    Strata Copilot
    Export a Certificate for a Peer to Access Using Hash and URL
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Configure IPSec VPN Tunnels (Site-to-Site)
    4. Set Up an IKE Gateway
    5. Export a Certificate for a Peer to Access Using Hash and URL
    Download PDF
    Network Security

    Export a Certificate for a Peer to Access Using Hash and URL

    Table of Contents

    Export a Certificate for a Peer to Access Using Hash and URL

    Where Can I Use This?What Do I Need?
    • PAN-OS
    		No license required
    IKEv2 supports Hash and URL certificate exchange as a method of having the peer at the remote end of the tunnel fetch the certificate from a server where you’ve exported the certificate.
    IKEv2 supports Hash and URL certificate exchange, which is used during an IKEv2 negotiation of an SA. You store the certificate on an HTTP server, which is specified by a URL. The peer fetches the certificate from the server based on receiving the URL to the server. The hash is used to check whether the content of the certificate is valid or not. Thus, the two peers exchange certificates with the HTTP CA rather than with each other.
    The hash part of Hash and URL reduces the message size and thus Hash and URL is a way to reduce the likelihood of packet fragmentation during IKE negotiation. The peer receives the certificate and hash that it expects, and thus IKE Phase 1 has validated the peer. Reducing fragmentation occurrences helps protect against DoS attacks.
    You can enable the Hash and URL certificate exchange when configuring an IKE gateway by selecting HTTP Certificate Exchange and entering the Certificate URL. The peer must also use the Hash and URL certificate exchange for the exchange to be successful. If the peer can’t use Hash and URL, X.509 certificates are exchanged similarly to how they’re exchanged in IKEv1.
    If you enable the Hash and URL certificate exchange, you must export your certificate to the certificate server if it isn’t already there. When you export the certificate, the file format should be Binary Encoded Certificate (DER).
    Perform this task to export your certificate to that server. You must have already created a certificate using DeviceCertificate Management.
    1. Select DeviceCertificates, and if your platform supports multiple virtual systems, for Location, select the appropriate virtual system.
    2. On the Device Certificates tab, select the certificate to Export to the server.
      The status of the certificate should be valid, not expired. The firewall won’t stop you from exporting an invalid certificate.
    3. For File Format, select Binary Encoded Certificate (DER).
    4. Leave Export private key clear. Exporting the private key is unnecessary for Hash and URL.
    5. Click OK.

    © 2025 Palo Alto Networks, Inc. All rights reserved.