Block Export of Private Keys
Prevent the export of private keys to secure certificates on PAN-OS devices.
You can now permanently block the export of private keys for certificates to harden your security posture and prevent rogue administrators or other bad actors from misusing keys. You can block keys when you generate them in or import them into Panorama and PAN-OS, but you cannot block keys that already exist on a device.
If you use an enterprise Public Key Infrastructure (PKI) to generate certificates and private keys, block the export of private keys because you can install them on new firewalls and Panoramas from your enterprise certificate authority (CA), so there is no reason to export them from PAN-OS.
You can generate and block keys, import and block keys, block a key for IKE gateway authentication, and verify that the key is blocked:
- To generate and block a private key from export:
- Select. If there is more than one virtual system, select aDeviceCertificate ManagementCertificatesDevice CertificatesLocationorSharedfor the certificate.
- Generatethe certificate.
- ClickGenerateto generate the new certificate.
- To import and block a private key from export:
- SelectDeviceCertificate ManagementCertificatesDevice CertificatesLocationorSharedfor the certificate.
- Importthe certificate.
- SelectImport Private Key.
- ClickOKto import the certificate.If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:
These CLI commands include keywords to specify the source, the certificate name, and other parameters that are not shown.
- scp import private-key block-private-key ...
- scp import certificate block-private-key ...
- To block a private key from export for IKE Gateway Authentication:
- Select.NetworkNetwork ProfilesIKE Gateways
- Adda new IKE Gateway.
- On theGeneraltab, forAuthentication, selectCertificate.
- Enter the certificate information. If you are importing the certificate, selectImport Private Keyto activate theBlock Private Key Exportcheckbox.
- SelectBlock Private Key Exportto prevent anyone from exporting the key.For importing a certificate, enter and confirm thePassphraseand then clickOKFor generating a certificate, clickGenerate.
- Enter thePassphrase, confirm it, and then clickOK.
- To verify that a private key is blocked from export:
- Check theKeycolumn in.DeviceCertificate ManagementCertificatesDevice CertificatesThe forward-untrust-certificate is not blocked and the forward-trust-certificate is blocked:
- When you attempt to export a certificate whose private key is blocked, theExport Private Keycheckbox is not available and you can’t export the key.
Recommended For You
Recommended videos not found.