Deploy Custom Certificates

Complete the following procedure to obtain custom certificates and deploy them on your Panorama and its managed devices.
  1. Generate or obtain your server and client certificates.
    Based in the needs of your organization, choose one of the supported methods for generating or obtaining your custom certificates.
  2. Configure the server certificate profile and SSL/TLS service profile for Panorama or server Log Collector.
    1. Configure a certificate profile. This profile includes the server certificate, as well as the root and intermediate CAs.
    2. Configure an SSL/TLS service profile.
  3. Configure Secure Server Communication on Panorama or Log Collector.
    1. Select the SSL/TLS service and certificate profiles for secure server communication.
    2. Optionally, you can add another layer of security by authorizing clients.
      • You can configure an authorization list. The authorization list checks the client certificate Subject or Subject Alt Name. If the Subject or Subject Alt Name presented with the client certificate does not match an identifier on the authorization list, authentication is denied.
      • You can configure Panorama can also authorize firewalls and Log Collectors based on their serial number.
    3. Do not check Allow Custom Certificates Only until you have deployed custom certificates on your managed devices.
    4. Set the Disconnect Wait Time in minutes. This is the amount of time Panorama waits to terminate its current connection with managed devices before breaking that connection and reestablishing it using custom certificates for authentication. When you commit your configuration, the wait time count down begins.
  4. Configure the client certificate profile on the firewall or Panorama (and push it applicable managed devices).
    Configure a certificate profile or profiles for the device or devices managed by Panorama. You can configure a unique certificate profile for each managed device or push the certificate profile to manged devices as part of a template.
    You can use a local certificate or obtain a certificate from a Simple Certificate Enrollment Protocol (SCEP) server.
  5. Deploy the client certificates on firewalls or Log Collectors.
    1. On the firewall or client Log Collector, configure the Secure Client Connection settings. Assign the certificate or SCEP profile and certificate profile for the firewall to use for authentication. Additionally, the firewall can verify the server’s identity by checking matching the server’s IP address or FQDN with common name in the server certificate.
    2. Commit your changes. After committing your changes, the firewall will begin using the custom certificate when the disconnect wait time is complete and the server has terminated its current connection to the client.
  6. Enforce the use of custom certificates.
    1. Return to Panorama or the server Log Collector. By selecting, Allow Customer Certificate Only, all devices managed by Panorama must use custom certificates. If not, authentication between Panorama and the firewall or Log Collector fails.
    2. To add additional managed devices, you must deploy the certificates on the firewall or Log Collector before adding it to Panorama or disable custom-certificate enforcement until the certificate is deployed.

Related Documentation