Next-Generation Firewall
Verify Private Key Blocking
Table of Contents
Verify Private Key Blocking
Confirm that private keys are blocked and cannot be exported using these
methods.
Blocking the export of private keys from your PAN-OS devices hardens your security posture
because it prevents rogue administrators or other bad actors from misusing private
keys. As an extra precaution, after enabling Block Private Key
Export, verify that the feature works. Use the following methods to
confirm that you can't export the private key for the certificates to which you
enabled this option:
- Check the Key column in the Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later tab.Select , and then view Device Certificates (PAN-OS 11.2 and earlier) or Custom Certificates (PAN-OS 12.1.0 and later).In this example, the forward-trust-certificate is blocked:
![]()
Check if the Export Private Key is available when you attempt to export a certificate whose private key is blocked from export.If the checkbox isn't available, you can't export the key, but you can export only the certificate, then you can be sure this feature is active.Use the following operational CLI command to list all certificates on the device or in a particular Vsys that have private keys blocked from export:admin@pa-220> request certificate show-blocked <shared | vsys>Use the following operational CLI command to check whether a particular certificate’s private key is blocked from export:admin@pa-220> request certificate is-blocked certificate-name <name>If the certificate's private key is blocked from export, the command returns yes. If the certificate's private key is not blocked from export, the command returns no.
