>
    Configure the Key Size for SSL Forward Proxy Server Certificates
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Certificate Management
    4. Configure the Key Size for SSL Forward Proxy Server Certificates
    Download PDF

    Configure the Key Size for SSL Forward Proxy Server Certificates

    Table of Contents
    End-of-Life (EoL)

    Configure the Key Size for SSL Forward Proxy Server Certificates

    When responding to a client in an SSL Forward Proxy session, the firewall creates a copy of the certificate that the destination server presents and uses the copy to establish a connection with the client. By default, the firewall generates certificates with the same key size as the certificate that the destination server presented. However, you can change the key size for the firewall-generated certificate.
    Changing key size settings clears the current certificate cache.
    1. Select DeviceSetupSession and, in the Decryption Settings section, click SSL Forward Proxy Settings.
    2. Edit the Forward Proxy Server Certificate Settings.
      1. Select an RSA Key Size:
        • Defined by destination host (default)—The firewall determines the key size and the hashing algorithm for the certificates it generates to establish SSL proxy sessions with clients based on the destination server certificate.
          • If the destination server uses a 1,024-bit RSA key, the firewall generates a certificate with a 1,024-bit RSA key.
          • If the destination server uses a key size larger than 1,024 bits (for example, 2,048 or 4,096 bits), the firewall generates a certificate with a 2,048-bit RSA key.
          • If the destination server uses the SHA-1 hashing algorithm, the firewall generates a certificate with the SHA-1 hashing algorithm.
          • If the destination server uses a hashing algorithm stronger than SHA-1, the firewall generates a certificate with the SHA-256 algorithm.
        • 1024-bit RSA—The firewall generates certificates that use a 1,024-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates.
          As of December 31, 2013, public certificate authorities (CAs) and popular browsers have limited support for X.509 certificates that use keys of fewer than 2,048 bits. In the future, depending on security settings, when presented with such keys the browser might warn the user or block the SSL/TLS session entirely.
        • 2048-bit RSA—The firewall generates certificates that use a 2,048-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates. Public CAs and popular browsers support 2,048-bit keys, which provide better security than 1,024-bit keys.
        • 3072-bit RSA—The firewall generates certificates that use a 3,072-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates.
        • 4096-bit RSA—The firewall generates certificates that use a 4,096-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates.
      2. Select an ECDSA Key Size:
        • Defined by destination host (default)—The firewall generates certificates based on the key size that the destination server uses.
          • If the destination server uses an ECDSA 256-bit or 384-bit key, the firewall generates a certificate with that key size.
          • If the destination server uses a key size larger than 384 bits, the firewall generates a certificate with a 521-bit key.
        • 256-bit ECDSA—The firewall generates certificates with an ECDSA 256-bit key regardless of the key size that the destination server uses.
        • 384-bit ECDSA—The firewall generates certificates with an ECDSA 384-bit key regardless of the key size that the destination server uses.
    3. Click OK and Commit your changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.