With PAN-OS and Panorama, the option to encrypt the API key using a self-signed certificate is now available, ensuring enhanced security when you retrieve your API key. This feature utilizes the PAN-OS device certificate management function to encrypt the API key for added protection.

See use cases for Keys and Certificates on PAN-OS for more information on how to manage certificates using PAN-OS and Panorama.

This feature introduces a new field under DeviceSetupManagementAuthentication settings that enables you to select an API Key Certificate to encrypt your API key. To use this feature, simply generate an RSA Certificate above 3,027 bits and select the created certificate as the API key certificate under the Authentication Settings option.

The existing workflow to generate the API key will still be the same, but now all existing API keys will be invalid when you add or change an API key certificate.