Manage Firewall and Panorama Certificates
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Manage Firewall and Panorama Certificates
- Device > Certificate Management > Certificates > Device Certificates
- Panorama > Certificate Management > Certificates
Select DeviceCertificate
ManagementCertificatesDevice
Certificates or PanoramaCertificate ManagementCertificatesDevice Certificates to display
the certificates that the firewall or Panorama uses for tasks such
as securing access to the web interface, SSL decryption, or LSVPN.
The following are some uses for certificates. Define the usage
of the certificate after you generate it (see Manage
Default Trusted Certificate Authorities).
- Forward Trust—The firewall uses this certificate to sign a copy of the server certificate that the firewall presents to clients during SSL Forward Proxy decryption
- Forward Untrust—The firewall uses this certificate to sign a copy of the server certificate the firewall presents to clients during SSL Forward Proxy decryption
- Trusted Root CA—The firewall uses this certificate as a trusted CA for SSL Forward Proxy decryption
- Certificate for Secure Syslog—The firewall uses this certificate to secure the delivery of logs as syslog messages
To generate a certificate, click Generate and specify the following
fields:
After a certificate is generated, the page displays Other
Supported Actions to Manage Certificates.
Settings to Generate
a Certificate | Description |
---|---|
Certificate Type | Select the entity that generates the certificate: Local—The
firewall or Panorama generates the certificate. SCEP—A
Simple Certificate Enrollment Protocol (SCEP) server generates the
certificate and sends it to the firewall or Panorama. |
Certificate Name | (Required) Enter a name (up to
63 characters on the firewall or up to 31 characters on Panorama)
to identify the certificate. The name is case-sensitive and must
be unique. Use only letters, numbers, spaces, hyphens, and underscores. |
SCEP Profile | (SCEP certificates only) Select
a SCEP Profile to define how the firewall
or Panorama communicates with a SCEP server and to define settings
for the SCEP certificate. For details, see Device
> Certificate Management > SCEP. You can configure a firewall
that serves as a GlobalProtect portal to request SCEP certificates on
demand and automatically deploy The remaining fields in the Generate
Certificate dialog do not apply to SCEP certificates. After specifying
the Certificate Name and SCEP Profile,
click Generate. |
Common Name | (Required) Enter the IP address
or FQDN that will appear on the certificate. |
Shared | On a firewall that has more than one virtual
system (vsys), select Shared if you want
the certificate to be available to every vsys. |
Signed By | To sign the certificate, you can use a certificate
authority (CA) certificate that you imported into the firewall.
The certificate can also be self-signed, in which case the firewall
is the CA. If you are using Panorama, you also have the option of
generating a self-signed certificate for Panorama. If you
imported CA certificates or issued any on the firewall (self-signed),
the drop-down includes the CAs available to sign the certificate
that you are creating. To generate a certificate signing request
(CSR), select External Authority (CSR). After
the firewall generates the certificate and the key pair, you can
export the CSR and send it to the CA for signing. |
Certificate Authority | Select this option if you want the firewall
to issue the certificate. Marking this certificate as a CA
allows you to use this certificate to sign other certificates on
the firewall. |
Block Private Key Export | When you generate a certificate, select
this option to block all administrators, including Superusers, from
exporting the private key. |
OCSP Responder | Select an OCSP responder profile from the
drop-down (see Device
> Certificate Management > OCSP Responder). The corresponding
host name appears in the certificate. |
Algorithm | Select a key generation algorithm for the
certificate: RSA or Elliptic Curve DSA (ECDSA). ECDSA
uses smaller key sizes than the RSA algorithm and, therefore, provides
a performance enhancement for processing SSL/TLS connections. ECDSA
also provides equal or greater security than RSA. ECDSA is recommended
for client browsers and operating systems that support it but you
may be required to select RSA for compatibility with legacy browsers
and operating systems. Firewalls running
PAN-OS 6.1 or earlier releases will delete any ECDSA certificates
that you push from Panorama and any RSA certificates signed by an
ECDSA certificate authority (CA) will be invalid on those firewalls. You
cannot use a hardware security module (HSM) to store
private ECDSA keys used for SSL Forward Proxy or Inbound Inspection
decryption. |
Number of Bits | Select the key length for the certificate. If
the firewall is in FIPS-CC mode and the key generation Algorithm is RSA, the
RSA keys generated must be 2048 or 3027 bits.
If the Algorithm is Elliptic Curve DSA,
both key length options (256 and 384) work. |
Digest | Select the Digest algorithm
for the certificate. The available options depend on the key generation Algorithm:
If
the firewall is in FIPS-CC mode and the key generation Algorithm is RSA, you
must select SHA256, SHA384,
or SHA512 as the Digest algorithm.
If the Algorithm is Elliptic Curve DSA,
both Digest algorithms (SHA256 and SHA384)
work. Client certificates that are used when requesting firewall
services that rely on TLSv1.2 (such as administrator access to the
web interface) cannot have SHA512 as a digest
algorithm. The client certificates must use a lower digest algorithm
(such as SHA384) or you must limit the Max
Version to TLSv1.1 when you configure
SSL/TLS service profiles for the firewall services (see Device
> Certificate Management > SSL/TLS Service Profile). |
Expiration (days) | Specify the number of days (default is 365)
that the certificate will be valid. If
you specify a Validity Period in a GlobalProtect
satellite configuration, that value will override the value entered
in this field. |
Certificate Attributes | Add additional Certificate Attributes to
identify the entity to which you are issuing the certificate. You
can add any of the following attributes: Country, State, Locality, Organization, Department,
and Email. In addition, you can specify one
of the following Subject Alternative Name fields: Host Name (SubjectAltName:DNS), IP (SubjectAltName:IP),
and Alt Email (SubjectAltName:email). To
add a country as a certificate attribute, select Country from
the Type column and then click into the Value column
to see the ISO 6366 Country Codes. |
If you configured a hardware security module (HSM), the
private keys are stored on the external HSM storage, not on the firewall.