Manage Firewall and Panorama Certificates
- Device > Certificate Management > Certificates > Device Certificates
- Panorama > Certificate Management > Certificates
Select DeviceCertificate ManagementCertificatesDevice Certificates or PanoramaCertificate ManagementCertificatesDevice Certificates to display the certificates that the firewall or Panorama uses for tasks such as securing access to the web interface, SSL decryption, or LSVPN.
The following are some uses for certificates. Define the usage of the certificate after you generate it (see Manage Default Trusted Certificate Authorities).
- Forward Trust—The firewall uses this certificate to sign a copy of the server certificate that the firewall presents to clients during SSL Forward Proxy decryption when the certificate authority (CA) that signed the server certificate is in the trusted CA list on the firewall.
- Forward Untrust—The firewall uses this certificate to sign a copy of the server certificate the firewall presents to clients during SSL Forward Proxy decryption when the CA that signed the server certificate is not in the trusted CA list on the firewall.
- Trusted Root CA—The firewall uses this certificate as a trusted CA for SSL Forward Proxy decryption , GlobalProtect , URL Admin Override , and Captive Portal . The firewall has a large list of existing trusted CAs. The trusted root CA certificate is for additional CAs that your organization trusts but that are not part of the pre-installed trusted list.
- SSL Exclude—The firewall uses this certificate if you configure decryption exceptions to exclude specific servers from SSL/TLS decryption.
- Certificate for Secure Syslog—The firewall uses this certificate to secure the delivery of logs as syslog messages to a syslog server.
To generate a certificate, click Generate and specify the following fields:
Settings to Generate a Certificate
Select the entity that generates the certificate:
Local—The firewall or Panorama generates the certificate.
SCEP—A Simple Certificate Enrollment Protocol (SCEP) server generates the certificate and sends it to the firewall or Panorama.
(Required) Enter a name (up to 63 characters on the firewall or up to 31 characters on Panorama) to identify the certificate. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
(SCEP certificates only) Select a SCEP Profile to define how the firewall or Panorama communicates with a SCEP server and to define settings for the SCEP certificate. For details, see Device > Certificate Management > SCEP. You can configure a firewall that serves as a GlobalProtect portal to request SCEP certificates on demand and automaticallydeploy the certificates to endpoints.
The remaining fields in the Generate Certificate dialog do not apply to SCEP certificates. After specifying the Certificate Name and SCEP Profile, click Generate.
(Required) Enter the IP address or FQDN that will appear on the certificate.
On a firewall that has more than one virtual system (vsys), select Shared if you want the certificate to be available to every vsys.
To sign the certificate, you can use a certificate authority (CA) certificate that you imported into the firewall. The certificate can also be self-signed, in which case the firewall is the CA. If you are using Panorama, you also have the option of generating a self-signed certificate for Panorama.
If you imported CA certificates or issued any on the firewall (self-signed), the drop-down includes the CAs available to sign the certificate that you are creating.
To generate a certificate signing request (CSR), select External Authority (CSR). After the firewall generates the certificate and the key pair, you can export the CSR and send it to the CA for signing.
Select this option if you want the firewall to issue the certificate.
Marking this certificate as a CA allows you to use this certificate to sign other certificates on the firewall.
Select an OCSP responder profile from the drop-down (see Device > Certificate Management > OCSP Responder). The corresponding host name appears in the certificate.
Select a key generation algorithm for the certificate: RSA or Elliptic Curve DSA (ECDSA).
ECDSA uses smaller key sizes than the RSA algorithm and, therefore, provides a performance enhancement for processing SSL/TLS connections. ECDSA also provides equal or greater security than RSA. ECDSA is recommended for client browsers and operating systems that support it but you may be required to select RSA for compatibility with legacy browsers and operating systems.
Firewalls running PAN-OS 6.1 or earlier releases will delete any ECDSA certificates that you push from Panorama and any RSA certificates signed by an ECDSA certificate authority (CA) will be invalid on those firewalls.
You cannot use a hardware security module (HSM) to store private ECDSA keys used for SSL Forward Proxy or Inbound Inspection decryption.
Number of Bits
Select the key length for the certificate.
If the firewall is in FIPS-CC mode and the key generation Algorithm is RSA, the RSA keys generated must be 2048 or 3027 bits. If the Algorithm is Elliptic Curve DSA, both key length options (256 and 384) work.
Select the Digest algorithm for the certificate. The available options depend on the key generation Algorithm:
If the firewall is in FIPS-CC mode and the key generation Algorithm is RSA, you must select SHA256, SHA384, or SHA512 as the Digest algorithm. If the Algorithm is Elliptic Curve DSA, both Digest algorithms (SHA256 and SHA384) work.
Client certificates that are used when requesting firewall services that rely on TLSv1.2 (such as administrator access to the web interface) cannot have SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm (such as SHA384) or you must limit the Max Version to TLSv1.1 when you configure SSL/TLS service profiles for the firewall services (see Device > Certificate Management > SSL/TLS Service Profile).
Specify the number of days (default is 365) that the certificate will be valid.
If you specify a Validity Period in a GlobalProtect satellite configuration, that value will override the value entered in this field.
Add additional Certificate Attributes to identify the entity to which you are issuing the certificate. You can add any of the following attributes: Country, State, Locality, Organization, Department, and Email. In addition, you can specify one of the following Subject Alternative Name fields: Host Name (SubjectAltName:DNS), IP (SubjectAltName:IP), and Alt Email (SubjectAltName:email).
To add a country as a certificate attribute, select Country from the Type column and then click into the Value column to see the ISO 6366 Country Codes.
If you configured a hardware security module (HSM), the private keys are stored on the external HSM storage, not on the firewall.
Generate a Certificate
Generate a Certificate Palo Alto Networks firewalls and Panorama use certificates to authenticate clients, servers, users, and devices in several applications, including SSL/TLS decryption, Captive ...
Deploy Machine Certificates for Authentication
Deploy Machine Certificates for Authentication To confirm that the endpoint belongs to your organization, use your own public-key infrastructure (PKI) to issue and distribute machine ...
Deploy Server Certificates to the GlobalProtect Components
Deploy Server Certificates to the GlobalProtect Components The following table shows the best practice steps for deploying SSL/TLS certificates to the GlobalProtect components: Import a ...
Deploy Client Certificates to the GlobalProtect Satellites ...
Deploy Client Certificates to the GlobalProtect Satellites Using SCEP As an alternative method for deploying client certificates to satellites, you can configure your GlobalProtect portal ...
IKE Gateway General Tab
IKE Gateway General Tab Network > Network Profiles > IKE Gateways > General The following table describes the beginning settings to configure an IKE gateway ...
Deploy User-Specific Client Certificates for Authentication
Deploy User-Specific Client Certificates for Authentication To authenticate individual users, you must issue a unique client certificate to each GlobalProtect user and deploy the client ...
Deploy Certificates Using SCEP
Deploy Certificates Using SCEP If you have a Simple Certificate Enrollment Protocol (SCEP) server in your enterprise PKI, you can configure a SCEP profile to ...
Obtain the CA Certificate for the Panorama Controller
Obtain the Certificate Authority on the Panorama™ Controller to secure communication with the Panorama Nodes. ...
Device > Certificate Management > SCEP
Device > Certificate Management > SCEP The simple certificate enrollment protocol (SCEP) provides a mechanism for issuing a unique certificate to endpoints, gateways, and satellite ...