Focus

PAN-OS ® New Features Guide

Block Export of Private Keys

Table of Contents

Block Export of Private Keys

Prevent the export of private keys to secure certificates on PAN-OS devices.

You can now permanently block the export of private keys for certificates to harden your security posture and prevent rogue administrators or other bad actors from misusing keys. You can block keys when you generate them in or import them into Panorama and PAN-OS, but you cannot block keys that already exist on a device.

If you use an enterprise Public Key Infrastructure (PKI) to generate certificates and private keys, block the export of private keys because you can install them on new firewalls and Panoramas from your enterprise certificate authority (CA), so there is no reason to export them from PAN-OS.

You can generate and block keys, import and block keys, block a key for IKE gateway authentication, and verify that the key is blocked:

To generate and block a private key from export:

Select

Device

Certificate Management

Certificates

Device Certificates

. If there is more than one virtual system, select a

Location

Shared

for the certificate.

Generate

the certificate.

Select

Block Private Key Export

. See Generate a Certificate for information about the other certificate fields.

Click

Generate

to generate the new certificate.

To import and block a private key from export:

Select

Device

Certificate Management

Certificates

Device Certificates

. If there is more than one virtual system, select a

Location

Shared

for the certificate.

Import

the certificate.

Select

Import Private Key

Select

Block Private Key Export

. See Import a Certificate and Private Key for information about the other certificate import fields.

Click

to import the certificate.

If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:

scp import private-key block-private-key ...

scp import certificate block-private-key ...

These CLI commands include keywords to specify the source, the certificate name, and other parameters that are not shown.

To block a private key from export for IKE Gateway Authentication:

Select

Network

Network Profiles

IKE Gateways

Add

a new IKE Gateway.

On the

General

tab, for

Authentication

, select

Certificate

For

Local Certificate

select

Import

Generate

depending on whether you want to import an existing certificate or create a certificate.

Enter the certificate information. If you are importing the certificate, select

Import Private Key

to activate the

Block Private Key Export

checkbox.

Select

Block Private Key Export

to prevent anyone from exporting the key.

For importing a certificate, enter and confirm the

Passphrase

and then click

For generating a certificate, click

Generate

Enter the

Passphrase

, confirm it, and then click

To verify that a private key is blocked from export:

Check the

Key

column in

Device

Certificate Management

Certificates

Device Certificates

The forward-untrust-certificate is not blocked and the forward-trust-certificate is blocked:

PAN-OS ® New Features Guide

Block Export of Private Keys

Block Export of Private Keys

Recommended For You