>
    Strata Copilot
    Generate a Private Key and Block It
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Blocking Private Key Export
    5. Generate a Private Key and Block It
    Download PDF
    Next-Generation Firewall

    Generate a Private Key and Block It

    Table of Contents

    Generate a Private Key and Block It

    Disable the export of private keys generated on PAN-OS devices to prevent unauthorized use.
    To prevent the misuse of a private key after generating a certificate, you can permanently block the export of the corresponding private key. You can only enable the Block Private Key Export option at the time of generating or importing a certificate onto PAN-OS.
    If you generate self-signed certificates on the firewall or Panorama and apply the block private key export option, you can’t export the certificate and key to other PAN-OS appliances.
    1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
      If there is more than one virtual system, select a Location or Shared for the certificate.
    2. Generate the certificate.
    3. Select Block Private Key Export to prevent anyone from exporting the certificate.
      See Generate a Certificate for information about the other certificate fields.
    4. Generate the new certificate.
      You can also generate a certificate and block its private key from export using the operational CLI command: 
      admin@pa-220> request certificate generate block-private-keys yes
      The preceding CLI command can also include the certificate and other parameters that are not shown.
    5. Verify that you can't export private keys,

    © 2026 Palo Alto Networks, Inc. All rights reserved.