Configure a Certificate Profile
Certificate profiles define user and device authentication for Captive Portal, GlobalProtect, site-to-site IPSec VPN, Mobile Security Manager, and web interface access to Palo Alto Networks firewalls or Panorama. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access. Configure a certificate profile for each application.
It is a best practice to enable Online Certificate Status Protocol (OCSP) and/or Certificate Revocation List (CRL) status verification for certificate profiles. For details on these methods, see Certificate Revocation.
- Obtain the certificate authority (CA) certificates you will assign.
- Identify the certificate profile.
- Selectand clickDeviceCertificate ManagementCertificates ProfileAdd.
- Enter aNameto identify the profile. The name is case-sensitive, must be unique and can use up to 63 characters on the firewall or up to 31 characters on Panorama that include only letters, numbers, spaces, hyphens, and underscores.
- If the firewall has more than one virtual system (vsys), select aLocation(vsys orShared) for the certificate.
- Assign one or more certificates.Perform the following steps for each CA certificate:
- In the CA Certificates table, clickAdd.
- Select aCA Certificate. Alternatively, to import a certificate, clickImport, enter aCertificate Name,Browseto theCertificate Fileyou exported from your enterprise CA, and clickOK.
- (Optional) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
- By default, the firewall uses the “Authority Information Access” (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter aDefault OCSP URL(starting withhttp://orhttps://).
- By default, the firewall uses the certificate selected in theCA Certificatefield to validate OCSP responses. To use a different certificate for validation, select it in theOCSP Verify CA Certificatefield.
- ClickOK. The CA Certificates table displays the assigned certificate.
- Define the methods for verifying certificate revocation status and the associated blocking behavior.
- SelectUse CRLand/orUse OCSP. If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.
- Depending on the verification method, enter theCRL Receive Timeoutand/orOCSP Receive Timeout. These are the intervals (1-60 seconds) after which the firewall stops waiting for a response from the CRL/OCSP service.
- Enter theCertificate Status Timeout. This is the interval (1-60 seconds) after which the firewall stops waiting for a response from any certificate status service and applies any session-blocking logic you define. TheCertificate Status Timeoutrelates to the OCSP/CRLReceive Timeoutas follows:
- If you enable both OCSP and CRL—The firewall registers a request timeout after the lesser of two intervals passes: theCertificate Status Timeoutvalue or the aggregate of the twoReceive Timeoutvalues.
- If you enable only OCSP—The firewall registers a request timeout after the lesser of two intervals passes: theCertificate Status Timeoutvalue or the OCSPReceive Timeoutvalue.
- If you enable only CRL—The firewall registers a request timeout after the lesser of two intervals passes: theCertificate Status Timeoutvalue or the CRLReceive Timeoutvalue.
- If you want the firewall to block sessions when the OCSP or CRL service returns a certificate revocation status of unknown, selectBlock session if certificate status is unknown. Otherwise, the firewall allows the sessions.
- If you want the firewall to block sessions after it registers an OCSP or CRL request timeout, selectBlock session if certificate status cannot be retrieved within timeout. Otherwise, the firewall allows the sessions.
- (GlobalProtect only) If you want the firewall to block sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect agent reports for the client endpoint, selectBlock sessions if the certificate was not issued to the authenticating device.
Decryption Settings: Certificate Revocation Checking
Decryption Settings: Certificate Revocation Checking Select Session , and in Decryption Settings, select Certificate Revocation Checking to set the parameters described in the following table. ...
Configure Revocation Status Verification of Certificates Us...
Configure Revocation Status Verification of Certificates Used for SSL/TLS Decryption The firewall decrypts inbound and outbound SSL/TLS traffic to apply security rules and rules, then ...
Device > Certificate Management > Certificate Profile
Device > Certificate Management > Certificate Profile Device > Certificate Management > Certificate Profile Panorama > Certificate Management > Certificate Profiles Certificate profiles define which ...
Set Up Verification for Certificate Revocation Status
Set Up Verification for Certificate Revocation Status To verify the revocation status of certificates, the firewall uses Online Certificate Status Protocol (OCSP) and/or certificate revocation ...
Device > Certificate Management > OCSP Responder
Device > Certificate Management > OCSP Responder Select Device Certificate Management OCSP Responder to define an Online Certificate Status Protocol (OCSP) responder (server) to verify ...
Online Certificate Status Protocol (OCSP)
Online Certificate Status Protocol (OCSP) When establishing an SSL/TLS session, clients can use Online Certificate Status Protocol (OCSP) to check the revocation status of the ...
Certificate Revocation Palo Alto Networks firewalls and Panorama use digital certificates to ensure trust between parties in a secure communication session. Configuring a firewall or ...
Renew a Certificate
Renew a Certificate If a certificate expires, or soon will, you can reset the validity period. If an external certificate authority (CA) signed the certificate ...
SSL Forward Proxy Decryption Profile
The SSL Forward Proxy Decryption profile blocks risky outbound sessions, verifies certificates, and provides session failure checks. ...