1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Certificate Management
    5. Configure a Certificate Profile

    Configure a Certificate Profile

    Certificate profiles define user and device authentication for Authentication Portal, multi-factor authentication (MFA), GlobalProtect, site-to-site IPSec VPN, external dynamic list (EDL) validation, Dynamic DNS (DDNS), User-ID agent and TS agent access, and web interface access to Palo Alto Networks firewalls or Panorama. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access. Configure a certificate profile for each application.
    It is a best practice to enable Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) status verification for certificate profiles to verify that the certificate hasn’t been revoked. Enable both OCSP and CRL so that if the OCSP server isn’t available, the firewall uses CRL. For details on these methods, see Certificate Revocation.
    1. Obtain the certificate authority (CA) certificates you will assign.
      Perform one of the following steps to obtain the CA certificates you will assign to the profile. You must assign at least one.
      • Export a certificate from your enterprise CA and then import it onto the firewall (see step to 3).
    2. Identify the certificate profile.
      1. Select
        Device
        Certificate Management
        Certificate Profile
         and click
        Add
        .
      2. Enter a
        Name
         to identify the profile. The name is case-sensitive, must be unique and can use up to 63 characters on the firewall or up to 31 characters on Panorama that include only letters, numbers, spaces, hyphens, and underscores.
      3. If the firewall has more than one virtual system (vsys), select a
        Location
         (vsys or
        Shared
        ) for the certificate.
    3. Assign one or more certificates.
      Perform the following steps for each CA certificate:
      1. In the CA Certificates table, click
        Add
        .
      2. Select a
        CA Certificate
        . Alternatively, to import a certificate, click
        Import
        , enter a
        Certificate Name
        ,
        Browse
         to the
        Certificate File
         you exported from your enterprise CA, and click
        OK
        .
      3. (
        Optional
        ) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
        • By default, the firewall uses the “Authority Information Access” (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a
          Default OCSP URL
           (starting with
          http://
           or
          https://
          ).
        • By default, the firewall uses the certificate selected in the
          CA Certificate
           field to validate OCSP responses. To use a different certificate for validation, select it in the
          OCSP Verify CA Certificate
           field.
      4. Click
        OK
        . The CA Certificates table displays the assigned certificate.
    4. Define the methods for verifying certificate revocation status and the associated blocking behavior.
      1. Select
        Use CRL
         and/or
        Use OCSP
        . If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.
      2. Depending on the verification method, enter the
        CRL Receive Timeout
         and/or
        OCSP Receive Timeout
        . These are the intervals (1-60 seconds) after which the firewall stops waiting for a response from the CRL/OCSP service.
      3. Enter the
        Certificate Status Timeout
        . This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies any session-blocking logic you define. The
        Certificate Status Timeout
         relates to the OCSP/CRL
        Receive Timeout
         as follows:
        • If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
          Certificate Status Timeout
           value or the aggregate of the two
          Receive Timeout
           values.
        • If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the
          Certificate Status Timeout
           value or the OCSP
          Receive Timeout
           value.
        • If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
          Certificate Status Timeout
           value or the CRL
          Receive Timeout
           value.
      4. If you want the firewall to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown, select
        Block session if certificate status is unknown
        . Otherwise, the firewall allows the sessions.
      5. If you want the firewall to block sessions after it registers an OCSP or CRL request timeout, select
        Block session if certificate status cannot be retrieved within timeout
        . Otherwise, the firewall allows the sessions.
      6. (
        GlobalProtect only
        ) If you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint, select
        Block sessions if the certificate was not issued to the authenticating device
        .
    5. Click
      OK
       and
      Commit

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo