: Use AWS Secrets Manager to Store VM-Series Certificates
Focus
Focus

Use AWS Secrets Manager to Store VM-Series Certificates

Table of Contents

Use AWS Secrets Manager to Store VM-Series Certificates

Integrate cloud native key managers to store certificates.
You can integrate cloud native key managers to store certificates. Private keys used for certificates are not stored on a firewall’s hard drive, thereby eliminating security problems. Administrators retain certificates and private keys in cloud storage. The firewall uses AWS Secrets Manager to retrieve the certificates and private keys from cloud storage, and uses them for features like decryption and IPSec.
Only VM-Series firewalls are supported to enable certificate retrieval via AWS Secrets Manager. If you are using AWS Secrets Manager certificates, you cannot downgrade to an earlier version of PAN-OS.
For outbound and inbound decryption, upload the certificates to the native key manager and provide the required access permissions to the NGFW.
A NGFW on a public cloud can use AWS Secrets Manager for storing certificates. With such cases, the required access management policies are configured, using PAN-OS or the CLI, for the same instances.
For environments using autoscaling, an instance boots up in a state with the necessary certificates retrieved and ready to decrypt traffic without additional manual configuration.
When a certificate is updated in the cloud it must be re-imported as a new certificate onto the firewall. You must assign IAM roles to an instance in order to enable the instance to retrieve certificates from the AWS Secrets Manager store. The IAM role must have
Get
permission for Secrets from AWS Secrets Manager.
All certificates are deleted when a master key changes, and then re-fetched upon commit. When the configuration is synchronized to the passive firewall under HA, the certificate is automatically downloaded by the management daemon on the passive firewall. As a result, the certificate itself is not synchronized.
  1. In the AWS Management Console, create an IAM role, or, select a role that was previously created. The IAM role you use must have read/write privileges
  2. Select the
    IAM Role
    policy in the
    Instances
    section of the AWS Console to view the
    Secrets Manager
    .
  3. In the
    Permissions
    tab, select the
    Secrets Manager
    . You’ll use this screen to view public and private keys.
  4. In the
    Secrets
    screen, select the name of the secrets file associated with the IAM role.
  5. In the
    Secret
    field, select
    Key/value
    to display the private and public key. Both keys should be the same. Additionally, private or public keys must match the format AWS expects in Secrets Manager. If the format does not match, key retrieval fails.
    The
    Rotation configuration
    option must be
    Disabled.
    This feature is not supported.
  6. Return to your resource group and select the VM-Series firewall. Click
    Identity > User Assigned
    and add the
    Managed Identity
    .
  7. Return to Secrets Manager and select
    Certificates
    . Import your certificate.
  8. Log into the VM-Series firewall.
  9. Select
    Device > Certificate Management > Certificates > Import
    .
  10. Under
    Cloud
    , enter the certificate name and set the file format.
  11. Select
    Cloud
    , choose
    AWS
    from the
    Cloud Platform
    drop-down:
    1. Enter the
      Certificate Name
      ; copy this from the
      Certificate Name
      field in
      AWS Secrets Manager > Secrets
      .
    2. Select
      AWS
      for the
      Cloud Platform
      .
    3. Enter the
      Cloud Secret Name
      ; copy this from
      Secret name
      field in
      AWS Secrets Manager > Secrets
      .
    4. You can specify the
      Algorithm
      in the
      Certificate Information
      screen. Choose the algorithm for your configuration, either
      RSA
      or
      Elliptical Curve DSA
      . By default, the algorithm is set to use
      RSA
      . Configure the certificate to use either
      Forward Trust Certificate
      ,
      Forward Untrust Certificate
      , or
      Trusted Root CA
      . You can alternately select all algorithms for the certificate.
    5. Click
      OK
      .
    6. Commit your changes.
  12. Verify that the certificate was added successfully:
    1. Select
      Device > Certificate Management > Certificates
      .
    2. Your new certificate should be listed.
    Certificate details are not displayed in the
    Certificates
    screen. To view this information in the CLI, use the command:
    show shared certificate <cert-name>
    Certificate details are not displayed in the
    Certificates
    screen. To view this information in the CLI, use the command:
    show shared certificate <cert-name>
    You can confirm configuration of certificate integration in Panorama. Use the
    Device Certificate
    window to determine if the certificate is used. Keep in mind that because data is not stored in the running configuration (the hard drive), all fields in the
    Device Certificates
    table are empty, except for the
    Usage
    field (if configured) and the
    Cloud Secret Name
    .

Recommended For You