Prevent the export of private keys to secure certificates
on PAN-OS devices.
You can now permanently block the export of private keys for
certificates to harden your security posture and prevent rogue administrators
or other bad actors from misusing keys. You can block keys when
you generate them in or import them into Panorama and PAN-OS, but
you cannot block keys that already exist on a device.
If you use an enterprise Public Key Infrastructure
(PKI) to generate certificates and private keys, block the export
of private keys because you can install them on new firewalls and
Panoramas from your enterprise certificate authority (CA), so there
is no reason to export them from PAN-OS.
You can generate and block keys, import and block keys, block
a key for IKE gateway authentication, and verify that the key is
To generate and block a private key from export:
If there is more than one virtual system, select a