Import a Certificate and Private Key
If your enterprise has its own public key infrastructure (PKI), you can import a certificate and private key into the firewall from your enterprise certificate authority (CA). Enterprise CA certificates (unlike most certificates purchased from a trusted, third-party CA) can automatically issue CA certificates for applications such as SSL/TLS decryption or large-scale VPN.
On a Palo Alto Networks firewall or Panorama, you can import self-signed certificates only if they are CA certificates.
Instead of importing a self-signed root CA certificate into all the client systems, it is a best practice to import a certificate from the enterprise CA because the clients will already have a trust relationship with the enterprise CA, which simplifies the deployment.
If the certificate you will import is part of a certificate chain, it is a best practice to import the entire chain.
- From the enterprise CA, export the certificate
and private key that the firewall will use for authentication.When exporting a private key, you must enter a passphrase to encrypt the key for transport. Ensure the management system can access the certificate and key files. When importing the key onto the firewall, you must enter the same passphrase to decrypt it.
- Select DeviceCertificate ManagementCertificatesDevice Certificates.
- If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.
- Click Import and enter a Certificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
- To make the certificate available to all virtual systems, select the Shared check box. This check box appears only if the firewall supports multiple virtual systems.
- Enter the path and name of the Certificate File received from the CA, or Browse to find the file.
- Select a File Format:
- Encrypted Private Key and Certificate (PKCS12)—This is the default and most common format, in which the key and certificate are in a single container (Certificate File). If a hardware security module (HSM) will store the private key for this certificate, select the Private key resides on Hardware Security Module check box.
- Base64 Encoded Certificate (PEM)—You must import the key separately from the certificate. If a hardware security module (HSM) stores the private key for this certificate, select the Private key resides on Hardware Security Module check box and skip the next step. Otherwise, select the Import Private Key check box, enter the Key File or Browse to it, then continue to the next step.
- Enter and re-enter (confirm) the Passphrase used to encrypt the private key.
- Click OK. The Device Certificates page displays the imported certificate.
Other Supported Actions to Manage Certificates
Other Supported Actions to Manage Certificates After you generate the certificate, its details display on the page and the following actions are available: Other Supported ...
Export a Certificate and Private Key
Export a Certificate and Private Key Palo Alto Networks recommends that you use your enterprise public key infrastructure (PKI) to distribute a certificate and private ...
Store Private Keys on an HSM
Store Private Keys on an HSM For added security, you can use an HSM to secure the private keys used in SSL/TLS decryption for: SSL ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Keys and Certificates for Decryption Policies
Decryption requires keys and certificates to establish trust between a client and a server so the firewall can decrypt encrypted traffic. ...
Import a Certificate for IKEv2 Gateway Authentication
Import a Certificate for IKEv2 Gateway Authentication Perform this task if you are authenticating a peer for an IKEv2 gateway and you did not use ...
IKE Gateway General Tab
IKE Gateway General Tab Network > Network Profiles > IKE Gateways > General The following table describes the beginning steps for how to configure an ...
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Certificate Management The following topics describe the different keys and certificates that Palo Alto Networks® firewalls and Panorama use, and how to obtain and manage ...