Generate a Private Key and Block It
Focus
Focus
Next-Generation Firewall

Generate a Private Key and Block It

Table of Contents

Generate a Private Key and Block It

Disable the export of private keys generated on PAN-OS devices to prevent unauthorized use.
To prevent the misuse of a private key after generating a certificate, you can permanently block the export of the corresponding private key. You can only enable the Block Private Key Export option at the time of generating or importing a certificate onto PAN-OS.
If you generate self-signed certificates on the firewall or Panorama and apply the block private key export option, you can’t export the certificate and key to other PAN-OS appliances.
  1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
    If there is more than one virtual system, select a Location or Shared for the certificate.
  2. Generate the certificate.
  3. Select Block Private Key Export to prevent anyone from exporting the certificate.
    See Generate a Certificate for information about the other certificate fields.
  4. Generate the new certificate.
    You can also generate a certificate and block its private key from export using the operational CLI command:
    admin@pa-220> request certificate generate block-private-keys yes
    The preceding CLI command can also include the certificate and other parameters that are not shown.