Configure a Certificate Profile

Certificate profiles define user and device authentication for Captive Portal, GlobalProtect, site-to-site IPSec VPN, Mobile Security Manager, and web interface access to Palo Alto Networks firewalls or Panorama. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access. Configure a certificate profile for each application.
It is a best practice to enable Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) status verification for certificate profiles. For details on these methods, see Certificate Revocation.
  1. Obtain the certificate authority (CA) certificates you will assign.
    Perform one of the following steps to obtain the CA certificates you will assign to the profile. You must assign at least one.
    • Export a certificate from your enterprise CA and then import it onto the firewall (see step to 3).
  2. Identify the certificate profile.
    1. Select
      Device
      Certificate Management
      Certificates Profile
      and click
      Add
      .
    2. Enter a
      Name
      to identify the profile. The name is case-sensitive, must be unique and can use up to 63 characters on the firewall or up to 31 characters on Panorama that include only letters, numbers, spaces, hyphens, and underscores.
    3. If the firewall has more than one virtual system (vsys), select a
      Location
      (vsys or
      Shared
      ) for the certificate.
  3. Assign one or more certificates.
    Perform the following steps for each CA certificate:
    1. In the CA Certificates table, click
      Add
      .
    2. Select a
      CA Certificate
      . Alternatively, to import a certificate, click
      Import
      , enter a
      Certificate Name
      ,
      Browse
      to the
      Certificate File
      you exported from your enterprise CA, and click
      OK
      .
    3. (
      Optional
      ) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
      • By default, the firewall uses the “Authority Information Access” (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a
        Default OCSP URL
        (starting with
        http://
        or
        https://
        ).
      • By default, the firewall uses the certificate selected in the
        CA Certificate
        field to validate OCSP responses. To use a different certificate for validation, select it in the
        OCSP Verify CA Certificate
        field.
    4. Click
      OK
      . The CA Certificates table displays the assigned certificate.
  4. Define the methods for verifying certificate revocation status and the associated blocking behavior.
    1. Select
      Use CRL
      and/or
      Use OCSP
      . If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.
    2. Depending on the verification method, enter the
      CRL Receive Timeout
      and/or
      OCSP Receive Timeout
      . These are the intervals (1-60 seconds) after which the firewall stops waiting for a response from the CRL/OCSP service.
    3. Enter the
      Certificate Status Timeout
      . This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies any session-blocking logic you define. The
      Certificate Status Timeout
      relates to the OCSP/CRL
      Receive Timeout
      as follows:
      • If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
        Certificate Status Timeout
        value or the aggregate of the two
        Receive Timeout
        values.
      • If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: the
        Certificate Status Timeout
        value or the OCSP
        Receive Timeout
        value.
      • If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: the
        Certificate Status Timeout
        value or the CRL
        Receive Timeout
        value.
    4. If you want the firewall to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown, select
      Block session if certificate status is unknown
      . Otherwise, the firewall allows the sessions.
    5. If you want the firewall to block sessions after it registers an OCSP or CRL request timeout, select
      Block session if certificate status cannot be retrieved within timeout
      . Otherwise, the firewall allows the sessions.
    6. (
      GlobalProtect only
      ) If you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect agent reports for the client endpoint, select
      Block sessions if the certificate was not issued to the authenticating device
      .
  5. Click
    OK
    and
    Commit

Related Documentation