PAN-OS® New Features Guide
  1. Home
  2. PAN-OS
  3. PAN-OS® New Features Guide
  4. Management Features
  5. Support for 4,096-bit RSA Certificates
Previous
Next
The firewall and Panorama now support RSA certificates with 4,096-bit keys, which are more secure than smaller keys. You can use these certificates to authenticate clients, servers, users, and devices in multiple applications, including Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web interface access.
 The maximum key size is 3,072 bits for certificates that you generate on firewalls in FIPS mode. For certificates that are used in two-factor GlobalProtect authentication, the RSA keys must be 2,048 bits or 3072 bits.
Generate a 4,096-bit RSA Certificate
Select Device > Certificate Management > Certificates > Device Certificates and Generate a new certificate.
Select Local and enter a Certificate Name.
Specify the Common Name —either the FQDN ( recommended ) or the IP address of the interface on which you will configure the service that will use this certificate.
Select Certificate Authority (CA) if this is a CA certificate. Otherwise, from the Signed By drop-down, select the root CA certificate that will issue this certificate.
Set the Algorithm to RSA (default) and the Number of Bits to 4096.
Select the Digest algorithm (default is sha256).
Enter the Expiration period, which is the number of days for which the certificate is valid (default is 365).
Generate the certificate.
Click the certificate Name in the Device Certificates tab to edit it.
Select the usage description(s) that correspond to the intended use of the certificate.
Click OK and Commit.
Previous
Next

Related Documentation

Generate a Certificate

Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...

Device > Certificate Management > Certificates

Device > Certificate Management > Certificates Select Device > Certificate Management > Certificates > Device Certificates to manage (generate, import, renew, delete, and revoke) certificates, ...

Deploy Machine Certificates for Authentication

Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...

Enable SSL Between GlobalProtect LSVPN Components

Enable SSL Between GlobalProtect LSVPN Components All interaction between the GlobalProtect components occurs over an SSL/TLS connection. Therefore, you must generate and/or install the required ...

Configure the Key Size for SSL Forward Proxy Server Certificates

Configure the Key Size for SSL Forward Proxy Server Certificates When responding to a client in an SSL Forward Proxy session, the firewall creates a ...

Deploy Server Certificates to the GlobalProtect Components

Deploy Server Certificates to the GlobalProtect Components The following workflow shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...

Deploy User-Specific Client Certificates for Authentication

Deploy User-Specific Client Certificates for Authentication To authenticate individual users, you must issue a unique client certificate to each GlobalProtect user and deploy the client ...

Configure SSL Forward Proxy

Configure SSL Forward Proxy To enable the firewall to perform SSL Forward Proxy decryption, you must set up the certificates required to establish the firewall ...

Network > Network Profiles > IKE Gateways

Network > Network Profiles > IKE Gateways Use this page to manage or define a gateway, including the configuration information necessary to perform Internet Key ...

Device > Certificate Management > SCEP

Device > Certificate Management > SCEP The simple certificate enrollment protocol (SCEP) provides a mechanism for issuing a unique certificate to endpoints, gateways, and satellite ...

© 2019 Palo Alto Networks, Inc. All rights reserved.