: Device > Certificate Management > Certificate Profile
Focus
Focus

Device > Certificate Management > Certificate Profile

Table of Contents

Device > Certificate Management > Certificate Profile

  • DeviceCertificate ManagementCertificate Profile
  • PanoramaCertificate ManagementCertificate Profile
Certificate profiles define which certificate authority (CA) certificates to use for verifying client certificates, how to verify certificate revocation status, and how that status constrains access. You select the profiles when configuring certificate authentication for Authentication Portal, GlobalProtect, site-to-site IPSec VPN, Dynamic DNS (DDNS), and web interface access to firewalls and Panorama. You can configure a separate certificate profile for each of these services.
Certificate Profile Settings
Description
Name
(Required) Enter a name to identify the profile (up to 63 characters on the firewall or up to 31 characters on Panorama). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (firewalls) or as Panorama. After you save the profile, you can’t change its Location.
Username Field
If GlobalProtect only uses certificates for portal and gateway authentication, the PAN-OS software uses the certificate field you select in the Username Field drop-down as the username and matches it to the IP address for the User-ID service:
  • Subject—The common name.
  • Subject Alt—The Email or Principal Name.
  • None—Typically for GlobalProtect device or pre-login authentication.
Domain
Enter the NetBIOS domain so the PAN-OS software can map users through User-ID.
CA Certificates
(Required) Add a CA Certificate to assign to the profile.
Optionally, if the firewall uses Online Certificate Status Protocol (OCSP) to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
  • By default, the firewall uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a Default OCSP URL (starting with http:// or https://).
  • By default, the firewall uses the certificate selected in the CA Certificate field to validate OCSP responses. To use a different certificate for validation, select it in the OCSP Verify CA Certificate field.
In addition, enter a Template Name to identify the template that was used to sign the certificate.
Use CRL
Select this option to use a certificate revocation list (CRL) to verify the revocation status of certificates.
Use OCSP
Select this option to use OCSP to verify the revocation status of certificates.
If you select both OCSP and CRL, the firewall first tries OCSP and only falls back to the CRL method if the OCSP responder is unavailable.
CRL Receive Timeout
Specify the interval (1 to 60 seconds) after which the firewall stops waiting for a response from the CRL service.
OCSP Receive Timeout
Specify the interval (1 to 60 seconds) after which the firewall stops waiting for a response from the OCSP responder.
Certificate Status Timeout
Specify the interval (1 to 60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies any session blocking logic you define.
Block session if certificate status is unknown
Select this option if you want the firewall to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall proceeds with the sessions.
Block sessions if certificate status cannot be retrieved within timeout
Select this option if you want the firewall to block sessions after it registers an OCSP or CRL request timeout. Otherwise, the firewall proceeds with the sessions.
Block sessions if the certificate was not issued to the authenticating device
(GlobalProtect only) Select this option if you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint. Otherwise, the firewall allows the sessions. This option applies only to GlobalProtect certificate authentication.
Block sessions with expired certificatesSelect this option if you want the firewall to block sessions with servers that present expired certificates.