Strata Cloud Manager
Manage: Certificate Management
Table of Contents
Expand All
|
Collapse All
Strata Cloud Manager Docs
-
- Strata Copilot
- Command Center: Strata Cloud Manager
-
- Dashboard: Build a Custom Dashboard
- Dashboard: Executive Summary
-
- WildFire Dashboard: Filters
- WildFire Dashboard: Total Samples Submitted
- WildFire Dashboard: Analysis Insights
- WildFire Dashboard: Session Trends For Samples Submitted
- WildFire Dashboard: Verdict Distribution
- WildFire Dashboard: Top Applications Delivering Malicious Samples
- WildFire Dashboard: Top Users Impacted By Malicious Samples
- WildFire Dashboard: Top Malware Regions
- WildFire Dashboard: Top Firewalls
- Dashboard: DNS Security
- Dashboard: AI Runtime Security
- Dashboard: IoT Security
- Dashboard: Prisma Access
-
- Application Experience Dashboard: Mobile User Experience Card
- Application Experience Dashboard: Remote Site Experience Card
- Application Experience Dashboard: Experience Score Trends
- Application Experience Dashboard: Experience Score Across the Network
- Application Experience Dashboard: Global Distribution of Application Experience Scores
- Application Experience Dashboard: Experience Score for Top Monitored Sites
- Application Experience Dashboard: Experience Score for Top Monitored Apps
- Application Experience Dashboard: Application Performance Metrics
- Application Experience Dashboard: Network Performance Metrics
- Dashboard: Best Practices
- Dashboard: Compliance Summary
-
- Prisma SD-WAN Dashboard: Device to Controller Connectivity
- Prisma SD-WAN Dashboard: Applications
- Prisma SD-WAN Dashboard: Top Alerts by Priority
- Prisma SD-WAN Dashboard: Overall Link Quality
- Prisma SD-WAN Dashboard: Bandwidth Utilization
- Prisma SD-WAN Dashboard: Transaction Stats
- Prisma SD-WAN Dashboard: Predictive Analytics
- Dashboard: PAN-OS CVEs
- Dashboard: CDSS Adoption
- Dashboard: Feature Adoption
- Dashboard: On Demand BPA
- Manage: IoT Policy Recommendation
- Manage: Enterprise DLP
- Manage: SaaS Security
- Manage: Prisma Access Browser
- Reports: Strata Cloud Manager
-
-
- Strata Cloud Manager Release Information
-
- New Features in March 2025
- New Features in February 2025
- New Features in January 2025
- New Features in December 2024
- New Features in November 2024
- New Features in October 2024
- New Features in September 2024
- New Features in August 2024
- New Features in July 2024
- New Features in June 2024
- New Features in May 2024
- New Features in April 2024
- New Features in March 2024
- New Features in February 2024
- New Features in January 2024
- New Features in November 2023
- New Features in October 2023
- New Features in September 2023
- Known Issues
- Addressed Issues
- Getting Help
Manage: Certificate Management
Learn how to configure Certificate Management Objects.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using.
|
Centrally manage the certificates you use to secure communication across your
network. In one place, set up your certificates, add certificate authorities (Prisma
Access includes preloaded certificates for well-known CAs), add OCSP responders, and
define certificate checks you want to require. The certificates and settings you set
up here can be used throughout your Prisma Access deployment to secure features like
decryption, your authentication portal, and the GlobalProtect app.
To ensure trust between parties in a secure communication session, Prisma Access uses
digital certificates. Each certificate contains a cryptographic key to encrypt
plaintext or decrypt ciphertext. Each certificate also includes a digital signature
to authenticate the identity of the issuer. The issuer must be in the list of
trusted certificate authorities (CAs) of the authenticating party. Optionally, the
authenticating party verifies the issuer did not revoke the certificate.Prisma
Access uses certificates to secure features like decryption and authentication, and
to secure communication between all the clients, servers, users, and devices
connecting to your network. Here are some of the keys and certificates that Prisma
Access uses.
As a best practice, use different keys and certificates for each usage.
- Authentication—You can use certificate-based authentication for mobile users connecting to Prisma Access. Additionally, in deployments where Authentication policy identifies users who access HTTPS resources, designate a server certificate for the authentication portal. If you configure the authentication portal to use certificates for identifying users (instead of, or in addition to, interactive authentication), deploy client certificates also.
- Decrypting Trusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy trusts the CA that signed the certificate of the destination server, the firewall uses the forward trust CA certificate to generate a copy of the destination server certificate to present to the client. To set the private key size, see Configure the Key Size for SSL Forward Proxy Server Certificates.
- Decrypting Untrusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy does not trust the CA that signed the certificate of the destination server, the firewall uses the forward untrust CA certificate to generate a copy of the destination server certificate to present to the client.
Go to ManageConfigurationNGFW and Prisma AccessObjectsCertificate Management.
From this interface, you can manage:
- Custom Certificates—Generate, import, renew, revoke, and export certificates and private key. To generate a certificate, you must first Create a Self-Signed Root CA Certificate or import one (Import a Certificate and Private Key) to sign it. To use Online Certificate Status Protocol (OCSP) for verifying certificate revocation status, add an OCSP Responder before generating the certificate. And as part of generating or importing a certificate, you’ll need to define what type of certificate it is.You can export the private key in the following format:
- Base64 Encoded Certificate (PEM)—This is the default format. It's the most common and has the broadest support on the internet. Export Private Key if you want the exported file to include the private key.
- Encrypted Private Key and Certificate (PKCS12)—This format is more secure than PEM but isn't as common or as broadly supported. The exported file will automatically include the private key.
- Binary Encoded Certificate (DER)—More operating system types support this format than the others. You can't export the private key in this format.
- Certificate Profiles—Certificate profiles define user and device authentication for the features and interactions that rely on certificate authentication. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constraints access. Configure a certificate profile for each of your use cases.
- OCSP Responders—Use Online Certificate Status Protocol (OCSP) to check the revocation status of authentication certificates. The authenticating client sends a request containing the serial number of the certificate to the OCSP responder (server). The responder searches the database of the certificate authority (CA) that issued the certificate and returns a response containing the status (good, revoked or unknown) to the client. The advantage of the OCSP method is that it can verify status in real-time, instead of depending on the issue frequency (hourly, daily, or weekly) of CRLs.
- SSL/TLS Service Profiles—Prisma Access uses SSL/TLS service profiles to specify a certificate and the allowed protocol versions for SSL/TLS services. By defining the protocol versions, you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. This improves network security by enabling Prisma Access SSL/TLS versions that have known weaknesses. If a service request involves a protocol version that is outside the specified range, the firewall or Panorama downgrades or upgrades the connection to a supported version.
- Default Trusted Certificate Authorities (CAs))—Prisma Access trusts the most common and trusted authorities (CAs) by default. These trusted certificate providers are responsible for issuing the certificates the firewall requires to secure connections to the internet.The only additional CAs you might want to add are trusted enterprise CAs that your organization requires.