Device > Certificate Management > Certificate Profile
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > SaaS Tenant List
- Objects > Custom Objects > SaaS User List
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > AI Security
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Traffic Objects
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > Certificate Management > Certificate Profile
- DeviceCertificate ManagementCertificate Profile
- PanoramaCertificate ManagementCertificate Profile
Certificate profiles define which certificate authority (CA) certificates to use for
verifying client certificates, how to verify certificate revocation status, and how that
status constrains access. You select the profiles when configuring certificate
authentication for Authentication Portal, GlobalProtect, site-to-site IPSec VPN, Dynamic
DNS (DDNS), and web interface access to firewalls and Panorama. You can configure a
separate certificate profile for each of these services.
Certificate Profile
Settings | Description |
|---|---|
Name | (Required) Enter a name to identify the
profile (up to 63 characters on the firewall or up to 31 characters
on Panorama). The name is case-sensitive and must be unique. Use
only letters, numbers, spaces, hyphens, and underscores. |
Location | Select the scope in which the profile is available. In
the context of a firewall that has more than one virtual system
(vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the
Location; its value is predefined as
Shared (firewalls) or as Panorama. After you save the
profile, you can’t change its
Location. |
Username Field | If GlobalProtect only uses certificates for portal and
gateway authentication, the PAN-OS software uses the certificate
field you select in the Username Field
drop-down as the username and matches it to the IP address for the
User-ID service:
|
Domain | Enter the NetBIOS domain so the PAN-OS software can
map users through User-ID. |
CA Certificates | (Required) Add a
CA Certificate to assign to the
profile. Optionally, if the firewall uses Online Certificate
Status Protocol (OCSP) to verify certificate revocation status,
configure the following fields to override the default behavior. For
most deployments, these fields do not apply.
In addition, enter a Template Name to
identify the template that was used to sign the
certificate. |
Use CRL | Select this option to use a certificate revocation
list (CRL) to verify the revocation status of
certificates. |
Use OCSP | Select this option to use OCSP to verify the
revocation status of certificates. If you select both
OCSP and CRL, the firewall first tries OCSP and only falls back
to the CRL method if the OCSP responder is
unavailable. |
CRL Receive Timeout | Specify the interval (1 to 60 seconds) after which the
firewall stops waiting for a response from the CRL
service. |
OCSP Receive Timeout | Specify the interval (1 to 60 seconds) after which the
firewall stops waiting for a response from the OCSP
responder. |
Certificate Status Timeout | Specify the interval (1 to 60 seconds) after which the
firewall stops waiting for a response from any certificate status
service and applies any session blocking logic you
define. |
Block session if certificate status is
unknown | Select this option if you want the firewall to block
sessions when the OCSP or CRL service returns a certificate
revocation status of unknown. Otherwise, the firewall
proceeds with the sessions. |
Block sessions if certificate status cannot
be retrieved within timeout | Select this option if you want the firewall
to block sessions after it registers an OCSP or CRL request timeout.
Otherwise, the firewall proceeds with the sessions. |
|
Block sessions if the certificate was not issued to the
authenticating device
|
(GlobalProtect only) Select this option if you want the
firewall to block sessions when the serial number attribute in the
subject of the client certificate does not match the host ID that the
GlobalProtect app reports for the endpoint. Otherwise, the firewall
allows the sessions. This option applies only to GlobalProtect certificate
authentication.
|
| Block sessions with expired certificates | Select this option if you want the firewall to block sessions with servers that present expired certificates. |