Import a Private Key and Block It

Secure private keys that you import into PAN-OS devices by blocking key export.
Block the export of a private key to prevent its misuse after importing a certificate.
  1. Select
    Device
    Certificate Management
    Certificates
    Device Certificates
    .
    If there is more than one virtual system, select a
    Location
    or
    Shared
    for the certificate.
  2. Import
    the certificate.
  3. Select
    Import Private Key
    to activate the option to block private key export.
  4. Select
    Block Private Key Export
    to prevent anyone from exporting the certificate.
    See Import a Certificate and Private Key for information about the other certificate import fields.
    import-cert-and-block-private-key.png
  5. Click
    OK
    to import the certificate.
    If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:
    • scp import private-key block-private-key ...
    Each of the preceding CLI commands can also include keywords to specify the source, the certificate name, and other parameters that are not shown.
    If you use the SCP operational CLI command to export a certificate and include its private key (
    scp export certificate passphrase <phrase> remote-port <1-65536> to <destination> certificate-name <name> include-key <yes | no> format <der | pem | pkcs10 | pkcs12>
    ), and if the certificate’s private key is blocked, the command fails and returns an error message because you cannot export a blocked private key.

Recommended For You