Certificate Management

To ensure trust between parties in a secure communication session, Prisma Access uses digital certificates. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer. The issuer must be in the list of trusted certificate authorities (CAs) of the authenticating party. Optionally, the authenticating party verifies the issuer did not revoke the certificate.Prisma Access uses certificates to secure features like decryption and authentication, and to secure communication between all the clients, servers, users, and devices connecting to your network. Here are some of the keys and certificates that Prisma Access uses.
As a best practice, use different keys and certificates for each usage.
  • Authentication—You can use certificate-based authentication for mobile users connecting to Prisma Access. Additionally, in deployments where Authentication policy identifies users who access HTTPS resources, designate a server certificate for the
    authentication portal
    . If you configure the authentication portal to use certificates for identifying users (instead of, or in addition to, interactive authentication), deploy client certificates also.
  • Decrypting Trusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy trusts the CA that signed the certificate of the destination server, the firewall uses the forward trust CA certificate to generate a copy of the destination server certificate to present to the client. To set the private key size, see Configure the Key Size for SSL Forward Proxy Server Certificates. For added security, store the key on a hardware security module (for details, see Secure Keys with a Hardware Security Module).
  • Decrypting Untrusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy does not trust the CA that signed the certificate of the destination server, the firewall uses the forward untrust CA certificate to generate a copy of the destination server certificate to present to the client.
Certificate Management Features
Custom Certificates
Generate, import, renew, revoke, and export certificates. To generate a certificate, you must first Create a Self-Signed Root CA Certificate or import one (Import a Certificate and Private Key) to sign it. To use Online Certificate Status Protocol (OCSP) for verifying certificate revocation status, add an OCSP Responder before generating the certificate. And as part of generating or importing a certificate, you’ll need to define what type of certificate it is.
Certificate Profiles
Certificate profiles define user and device authentication for the features and interactions that rely on certificate authentication. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access. Configure a certificate profile for each of your use cases.
OCSP Responders
Use Online Certificate Status Protocol (OCSP) to check the revocation status of authentication certifcates. The authenticating client sends a request containing the serial number of the certificate to the OCSP responder (server). The responder searches the database of the certificate authority (CA) that issued the certificate and returns a response containing the status (good, revoked or unknown) to the client. The advantage of the OCSP method is that it can verify status in real-time, instead of depending on the issue frequency (hourly, daily, or weekly) of CRLs.
SSL/TLS Service Profiles
Prisma Access uses SSL/TLS service profiles to specify a certificate and the allowed protocol versions for SSL/TLS services. By defining the protocol versions, you can use a profile to restrict the cipher suites that are available for securing communication with the clients requesting the services. This improves network security by enabling Prisma Access SSL/TLS versions that have known weaknesses. If a service request involves a protocol version that is outside the specified range, the firewall or Panorama downgrades or upgrades the connection to a supported version.
Default Trusted Certificate Authorities (CAs))
Prisma Accesstrusts the most common and trusted authorities (CAs) by default. These trusted certificate providers are responsible for issuing the certificates the firewall requires to secure connections to the internet.The only additional CAs you might want to add are trusted enterprise CAs that your organization requires.

Recommended For You