Export a Certificate and Private Key
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Export a Certificate and Private Key
Palo Alto Networks recommends that you use
your enterprise public key infrastructure (PKI) to distribute a
certificate and private key in your organization. However, if necessary,
you can also export a certificate and private key from the firewall
or Panorama. You can use an exported certificate and private key
in the following cases:
- Enable SSL Between GlobalProtect LSVPN Components to configure GlobalProtect agent/app authentication to portals and gateways
- SSL Forward Proxy decryption
- Select DeviceCertificate ManagementCertificatesDevice Certificates.If the firewall has more than one virtual system (vsys), select a Location (a specific vsys or Shared) for the certificate.Select the certificate, click Export, and select a File Format:
- Base64 Encoded Certificate (PEM)—This is the default format. It is the most common and has the broadest support on the Internet. If you want the exported file to include the private key, select the Export Private Key check box.
- Encrypted Private Key and Certificate (PKCS12)—This format is more secure than PEM but is not as common or as broadly supported. The exported file will automatically include the private key.
- Binary Encoded Certificate (DER)—More operating system types support this format than the others. You can export only the certificate, not the key: ignore the Export Private Key check box and passphrase fields.
Enter a Passphrase and Confirm Passphrase to encrypt the private key if the File Format is PKCS12 or if it is PEM and you selected the Export Private Key check box. You will use this passphrase when importing the certificate and key into client systems.(Panorama managed firewalls) If you enabled Block Private Key Export when you generated or imported the certificate, you must be sure to Import Private Key and add the key File when you import the exported certificate. This is required to successfully push configuration changes from Panorama to managed firewalls that you imported the certificate to.Click OK and save the certificate/key file to your computer.