Focus

Next-Generation Firewall

Blocking Private Key Export

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Export a Certificate and Private Key

Generate a Private Key and Block It

Blocking Private Key Export

Prevent the export of private keys to secure certificates on PAN-OS devices.

You can permanently block the export of private keys for certificates that you generate or import onto PAN-OS appliances or Panorama. Blocking the export of private keys from your PAN-OS devices hardens your security posture because it prevents rogue administrators or other bad actors from misusing keys. Administrators with roles that include certificate management can block the export of private keys. You can’t block keys that already exist on a device; you can only block keys at the time that you generate them in or import them into PAN-OS.

When an administrator blocks the export of a private key, no administrator can export that key, not even Superuser administrators. If you need to export a private key from a PAN-OS appliance, regenerate the certificate and the key without selecting the option to block private key export.

Blocking the export of private keys is supported on PAN-OS version 10.1 or later releases.

To downgrade to an earlier version of PAN-OS, first delete the certificates whose private keys are blocked. If you don’t delete the certificates whose private keys are blocked before you attempt to downgrade, an error message asks you to delete those certificates. You can’t downgrade until you delete them. After you downgrade, reimport or regenerate the deleted certificates if you need them.

If you use an enterprise Public Key Infrastructure (PKI) to generate certificates and private keys, block the export of private keys because you can install them on new firewalls and Panoramas from your enterprise certificate authority (CA), so there is no reason to export them from PAN-OS.

If you generate self-signed certificates on the firewall or Panorama and apply the block private key export option, you can’t export the certificate and key to other PAN-OS appliances.

You can export and import the device state (DeviceSetupOperations) even if you block the export of private keys. We include the private keys in device state imports and exports, but administrators can’t read or decode them.

You can import or load the configuration of one firewall on another firewall if the master key is the same on both firewalls. If the master key is different on the firewalls, then importing or loading the configuration doesn’t work and the commit fails while reading the certificates.

Export a Certificate and Private Key

Generate a Private Key and Block It

Next-Generation Firewall Docs

Blocking Private Key Export

Next-Generation Firewall Docs

Blocking Private Key Export

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner