Device > Certificate Management > Certificate Profile
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > Certificate Management > Certificate Profile
- DeviceCertificate ManagementCertificate Profile
- PanoramaCertificate ManagementCertificate Profile
Certificate profiles define which certificate authority (CA)
certificates to use for verifying client certificates, how to verify
certificate revocation status, and how that status constrains access.
You select the profiles when configuring certificate authentication
for Authentication Portal, GlobalProtect, site-to-site IPSec VPN,
Dynamic DNS (DDNS), and web interface access to firewalls and Panorama.
You can configure a separate certificate profile for each of these services.
Certificate Profile Settings | Description |
---|---|
Name | (Required) Enter a name to identify
the profile (up to 63 characters on the firewall or up to 31 characters
on Panorama). The name is case-sensitive and must be unique. Use only
letters, numbers, spaces, hyphens, and underscores. |
Location | Select the scope in which the profile is
available. In the context of a firewall that has more than one virtual
system (vsys), select a vsys or select Shared (all
virtual systems). In any other context, you can’t select the Location;
its value is predefined as Shared (firewalls) or as Panorama.
After you save the profile, you can’t change its Location. |
Username Field | If GlobalProtect only uses certificates
for portal and gateway authentication, the PAN-OS software uses
the certificate field you select in the Username Field drop-down
as the username and matches it to the IP address for the User-ID
service:
|
Domain | Enter the NetBIOS domain so the PAN-OS software
can map users through User-ID. |
CA Certificates | (Required) Add a CA
Certificate to assign to the profile. Optionally,
if the firewall uses Online Certificate Status Protocol (OCSP) to
verify certificate revocation status, configure the following fields
to override the default behavior. For most deployments, these fields
do not apply.
In
addition, enter a Template Name to identify
the template that was used to sign the certificate. |
Use CRL | Select this option to use a certificate
revocation list (CRL) to verify the revocation status of certificates. |
Use OCSP | Select this option to use OCSP to verify
the revocation status of certificates. If you select
both OCSP and CRL, the firewall first tries OCSP and only falls
back to the CRL method if the OCSP responder is unavailable. |
CRL Receive Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from the CRL service. |
OCSP Receive Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from the OCSP responder. |
Certificate Status Timeout | Specify the interval (1 to 60 seconds) after
which the firewall stops waiting for a response from any certificate
status service and applies any session blocking logic you define. |
Block session if certificate status is unknown | Select this option if you want the firewall
to block sessions when the OCSP or CRL service returns a certificate
revocation status of unknown. Otherwise, the firewall proceeds
with the sessions. |
Block sessions if certificate
status cannot be retrieved within timeout | Select this option if you want
the firewall to block sessions after it registers an OCSP or CRL
request timeout. Otherwise, the firewall proceeds with the sessions. |
Block sessions if the certificate was not
issued to the authenticating device | (GlobalProtect only) Select this
option if you want the firewall to block sessions when the serial
number attribute in the subject of the client certificate does not
match the host ID that the GlobalProtect app reports
for the endpoint. Otherwise, the firewall allows the sessions. This
option applies only to GlobalProtect certificate authentication. |
Block sessions with expired certificates | Select this option if you want the firewall to block sessions with servers that present expired certificates. |