Block Export of Private Keys

Prevent the export of private keys to secure certificates on PAN-OS devices.
You can now permanently block the export of private keys for certificates to harden your security posture and prevent rogue administrators or other bad actors from misusing keys. You can block keys when you generate them in or import them into Panorama and PAN-OS, but you cannot block keys that already exist on a device.
If you use an enterprise Public Key Infrastructure (PKI) to generate certificates and private keys, block the export of private keys because you can install them on new firewalls and Panoramas from your enterprise certificate authority (CA), so there is no reason to export them from PAN-OS.
You can generate and block keys, import and block keys, block a key for IKE gateway authentication, and verify that the key is blocked:
  • To generate and block a private key from export:
    1. Select
      Device
      Certificate Management
      Certificates
      Device Certificates
      . If there is more than one virtual system, select a
      Location
      or
      Shared
      for the certificate.
    2. Generate
      the certificate.
    3. Select
      Block Private Key Export
      . See Generate a Certificate for information about the other certificate fields.
    4. Click
      Generate
      to generate the new certificate.
  • To import and block a private key from export:
    1. Select
      Device
      Certificate Management
      Certificates
      Device Certificates
      . If there is more than one virtual system, select a
      Location
      or
      Shared
      for the certificate.
    2. Import
      the certificate.
    3. Select
      Import Private Key
      .
    4. Select
      Block Private Key Export
      . See Import a Certificate and Private Key for information about the other certificate import fields.
    5. Click
      OK
      to import the certificate.
      If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:
      • scp import private-key block-private-key ...
      • scp import certificate block-private-key ...
      These CLI commands include keywords to specify the source, the certificate name, and other parameters that are not shown.
  • To block a private key from export for IKE Gateway Authentication:
    1. Select
      Network
      Network Profiles
      IKE Gateways
      .
    2. Add
      a new IKE Gateway.
    3. On the
      General
      tab, for
      Authentication
      , select
      Certificate
      .
    4. For
      Local Certificate
      select
      Import
      or
      Generate
      depending on whether you want to import an existing certificate or create a certificate.
    5. Enter the certificate information. If you are importing the certificate, select
      Import Private Key
      to activate the
      Block Private Key Export
      checkbox.
    6. Select
      Block Private Key Export
      to prevent anyone from exporting the key.
      For importing a certificate, enter and confirm the
      Passphrase
      and then click
      OK
      For generating a certificate, click
      Generate
      .
    7. Enter the
      Passphrase
      , confirm it, and then click
      OK
      .
  • To verify that a private key is blocked from export:
    1. Check the
      Key
      column in
      Device
      Certificate Management
      Certificates
      Device Certificates
      .
      The forward-untrust-certificate is not blocked and the forward-trust-certificate is blocked:
      verify-private-key-block-key-columns-v2.png
    2. When you attempt to export a certificate whose private key is blocked, the
      Export Private Key
      checkbox is not available and you can’t export the key.

Recommended For You