Certificate Management
To ensure trust between parties in a secure
communication session, Prisma Access uses digital certificates.
Each certificate contains a cryptographic key to encrypt plaintext
or decrypt ciphertext. Each certificate also includes a digital
signature to authenticate the identity of the issuer. The issuer
must be in the list of trusted certificate authorities (CAs) of
the authenticating party. Optionally, the authenticating party verifies
the issuer did not revoke the certificate.Prisma Access uses certificates
to secure features like decryption and authentication, and to secure
communication between all the clients, servers, users, and devices
connecting to your network. Here are some of the keys and certificates
that Prisma Access uses.
As a best
practice, use different keys and certificates for each usage.
- Authentication—You can use certificate-based authentication for mobile users connecting to Prisma Access. Additionally, in deployments where Authentication policy identifies users who access HTTPS resources, designate a server certificate for theauthentication portal. If you configure the authentication portal to use certificates for identifying users (instead of, or in addition to, interactive authentication), deploy client certificates also.
- Decrypting Trusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy trusts the CA that signed the certificate of the destination server, the firewall uses the forward trust CA certificate to generate a copy of the destination server certificate to present to the client. To set the private key size, see Configure the Key Size for SSL Forward Proxy Server Certificates.
- Decrypting Untrusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy does not trust the CA that signed the certificate of the destination server, the firewall uses the forward untrust CA certificate to generate a copy of the destination server certificate to present to the client.
Certificate Management Features | |
|---|---|
 | |
Custom Certificates | Generate, import, renew, revoke, and export
certificates. To generate a certificate, you must first Create a
Self-Signed Root CA Certificate or import one (Import a Certificate
and Private Key) to sign it. To use Online Certificate Status Protocol
(OCSP) for verifying certificate revocation status, add an OCSP
Responder before generating the certificate. And as part of generating
or importing a certificate, you’ll need to define what type of certificate
it is. |
Certificate Profiles | Certificate profiles define user and device
authentication for the features and interactions that rely on certificate
authentication. The profiles specify which certificates to use,
how to verify certificate revocation status, and how that status constrains
access. Configure a certificate profile for each of your use cases. |
OCSP Responders | Use Online Certificate Status Protocol (OCSP)
to check the revocation status of authentication certifcates. The
authenticating client sends a request containing the serial number
of the certificate to the OCSP responder (server). The responder searches
the database of the certificate authority (CA) that issued the certificate and
returns a response containing the status (good, revoked or unknown)
to the client. The advantage of the OCSP method is that it can verify
status in real-time, instead of depending on the issue frequency
(hourly, daily, or weekly) of CRLs. |
SSL/TLS Service Profiles | Prisma Access uses SSL/TLS service profiles
to specify a certificate and the allowed protocol versions for SSL/TLS
services. By defining the protocol versions, you can use a profile
to restrict the cipher suites that are available for securing communication
with the clients requesting the services. This improves network security
by enabling Prisma Access SSL/TLS versions that have known weaknesses.
If a service request involves a protocol version that is outside
the specified range, the firewall or Panorama downgrades or upgrades
the connection to a supported version. |
Default Trusted Certificate Authorities (CAs)) | Prisma Accesstrusts the most common and
trusted authorities (CAs) by default. These trusted certificate
providers are responsible for issuing the certificates the firewall
requires to secure connections to the internet.The only additional
CAs you might want to add are trusted enterprise CAs that your organization
requires. |
