End-of-Life (EoL)
Device > Certificate Management > Certificate Profile
- Device > Certificate Management > Certificate Profile
- Panorama > Certificate Management > Certificate Profiles
Certificate profiles define which certificate authority (CA)
certificates to use for verifying client certificates, how to verify
certificate revocation status, and how that status constrains access.
You select the profiles when configuring certificate authentication
for Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web
interface access to firewalls and Panorama. You can configure a
separate certificate profile for each of these services.
Certificate Profile Settings | Description |
---|---|
Name | ( Required ) Enter a name to identify
the profile (up to 63 characters on the firewall or up to 31 characters
on Panorama). The name is case-sensitive and must be unique. Use only
letters, numbers, spaces, hyphens, and underscores. |
Location | Select the scope in which the profile is
available. In the context of a firewall that has more than one virtual
system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location ;
its value is predefined as Shared (firewalls ) or as Panorama.
After you save the profile, you can’t change its Location . |
Username Field | If GlobalProtect only uses certificates
for portal and gateway authentication, PAN-OS uses the certificate
field you select in the Username Field drop-down
as the username and matches it to the IP address for the User-ID
service:
|
Domain | Enter the NetBIOS domain so PAN-OS can map
users through User-ID. |
CA Certificates | ( Required ) Click Add and
select a CA Certificate to assign to the
profile.Optionally, if the firewall uses Online Certificate
Status Protocol (OCSP) to verify certificate revocation status,
configure the following fields to override the default behavior.
For most deployments, these fields do not apply.
|
Use CRL | Select this option to use a certificate
revocation list (CRL) to verify the revocation status of certificates. |
Use OCSP | Select this option to use OCSP to verify
the revocation status of certificates. If you select
both OCSP and CRL, the firewall first tries OCSP and only falls
back to the CRL method if the OCSP responder is unavailable. |
CRL Receive Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from the CRL service. |
OCSP Receive Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from the OCSP responder. |
Certificate Status Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from any certificate
status service and applies any session blocking logic you define. |
Block session if certificate status is unknown | Select this option if you want the firewall
to block sessions when the OCSP or CRL service returns a certificate
revocation status of unknown . Otherwise, the firewall proceeds
with the sessions. |
Block sessions if certificate
status cannot be retrieved within timeout | Select this option if you want
the firewall to block sessions after it registers an OCSP or CRL
request timeout. Otherwise, the firewall proceeds with the sessions. |
Block sessions if the certificate was not
issued to the authenticating device | ( GlobalProtect only ) Select this
option if you want the firewall to block sessions when the serial
number attribute in the subject of a client certificate does not
match the host ID that the GlobalProtect agent reports
for the client endpoint. Otherwise, the firewall allows the sessions. This
option applies only to GlobalProtect certificate authentication authentication. |
Recommended For You
Recommended Videos
Recommended videos not found.