>
    Import a Private Key and Block It
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Certificate Management
    4. Blocking Private Key Export
    5. Import a Private Key and Block It
    Download PDF
    Next-Generation Firewall

    Import a Private Key and Block It

    Table of Contents

    Import a Private Key and Block It

    Secure private keys imported into NGFWs by blocking private key export. Secure private keys for IKE Gateways that you import into PAN-OS devices by blocking the export of private keys.
    To prevent the misuse of a private key after importing a certificate, you can permanently block the export of the corresponding private key. You can only enable the Block Private Key Export option at the time of generating or importing a certificate onto PAN-OS.
    1. Select DeviceCertificate ManagementCertificates, then Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).
      If there is more than one virtual system, select a Location or Shared for the certificate.
    2. Import the certificate.
    3. Select Import Private Key to activate the option to block private key export.
    4. Select Block Private Key Export to prevent anyone from exporting the certificate.
      See Import a Certificate and Private Key for information about the other certificate import fields.
    5. Click OK to import the certificate.
      If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:
      • admin@pa-220> scp import private-key block-private-key ...
      Each of the preceding CLI commands can also include keywords to specify the source, the certificate name, and other parameters that are not shown.
      If you use the SCP operational CLI command to export a certificate and include its private key (scp export certificate passphrase <phrase> remote-port <1-65536> to <destination> certificate-name <name> include-key <yes | no> format <der | pem | pkcs10 | pkcs12>), and if the certificate’s private key is blocked, the command fails and returns an error message because you cannot export a blocked private key.
    6. Verify that you can't export private keys,

    Import a Private Key for IKE Gateway and Block It

    Block the export of a private key to prevent its misuse after generating a certificate for IKE Gateway authentication.
    1. Select NetworkNetwork ProfilesIKE Gateways.
    2. Add a new IKE Gateway.
    3. On the General tab, for Authentication, select Certificate.
    4. For Local Certificate select Import or Generate depending on whether you want to import an existing certificate or create a certificate.
    5. Enter the certificate information. If you are importing the certificate, select Import Private Key to activate the Block Private Key Export checkbox.
    6. Select Block Private Key Export to prevent anyone from exporting the key.
      For importing a certificate, enter and confirm the Passphrase and then click OK
      For generating a certificate, click Generate.
    7. Enter the Passphrase, confirm it, and then click OK.
    8. Verify that you can't export private keys,

    © 2025 Palo Alto Networks, Inc. All rights reserved.