Configure a Certificate Profile
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure a Certificate Profile
Certificate profiles define user and device authentication for Authentication
Portal, multi-factor authentication (MFA), GlobalProtect, site-to-site IPSec VPN,
external dynamic list validation, dynamic DNS (DDNS), User-ID agent and TS agent
access, and web interface access to Palo Alto Networks firewalls or Panorama. The
profiles specify which certificates to use, how to verify certificate revocation
status, and how that status constrains access. Configure a certificate profile for
each application.
Enable Online Certificate Status Protocol
(OCSP) and certificate revocation list (CRL) status verification in certificate
profiles to verify that a certificate hasn’t been revoked. Enable both OCSP and CRL
so that if the OCSP server isn’t available, the firewall uses CRL. For details on
these methods, see Certificate Revocation.
- Obtain the certificate authority (CA) certificates you will assign to the profile.Assign at least one certificate to a certificate profile. Choose one of the following options to obtain the CA certificates you will assign to the profile.
- Export a certificate from your enterprise CA, then import it onto the firewall (refer to step 3.2).
- Identify the certificate profile.
- Select, and thenDeviceCertificate ManagementCertificate ProfileAdda profile.
- Enter aNameto identify the profile.The name is case-sensitive, must be unique, and can use up to 63 characters on the firewall or up to 31 characters on Panorama. Only letters, numbers, spaces, hyphens, and underscores are allowed.
- If the firewall has more than one virtual system (vsys), select aLocation(vsys orShared) for the certificate.
- Assign one or more certificates to the profile.Repeat the following steps for each CA certificate:
- In the CA Certificates table, clickAdd.
- Select aCA Certificate.Alternatively, you canImporta certificate. To import a certificate, enter aCertificate Name,Browsefor aCertificate Fileyou exported from an enterprise CA, and then clickOK.
- (Optional) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
- By default, the firewall uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter aDefault OCSP URL(starting withhttp://orhttps://).
- By default, the firewall uses the certificate selected in theCA Certificatefield to validate OCSP responses. To use a different certificate for validation, select it in theOCSP Verify CA Certificatefield.
- ClickOK. The CA Certificates table displays the assigned certificate.
- Define the methods for verifying certificate revocation status and the associated blocking behavior.
- SelectUse CRLorUse OCSP. If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.
- Depending on the verification method, specify aCRL Receive TimeoutorOCSP Receive Timeoutvalue in seconds (range is 1 to 60).After these intervals, the firewall stops waiting for a response from the CRL or OCSP service.
- Specify aCertificate Status Timeoutin seconds (range is 1 to 60).After this interval, the firewall stops waiting for a response from either certificate status service and applies any session-blocking logic you define. TheCertificate Status Timeoutrelates to the OCSP or CRLReceive Timeoutsetting as follows:
- If you enable both OCSP and CRL, the firewall registers a request timeout after the lesser of two intervals passes: theCertificate Status Timeoutvalue or the aggregate of the twoReceive Timeoutvalues.
- If you enable only OCSP, the firewall registers a request timeout after the lesser of two intervals passes: theCertificate Status Timeoutvalue or the OCSPReceive Timeoutvalue.
- If you enable only CRL, the firewall registers a request timeout after the lesser of two intervals passes: theCertificate Status Timeoutvalue or the CRLReceive Timeoutvalue.
- Block sessions if certificate status is unknown.If you select this option, the firewall blocks sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall allows these sessions.
- Block sessions if certificate status cannot be retrieved within timeout.If you select this option, the firewall blocks sessions after the firewall registers the timeout of an OCSP or CRL request. Otherwise, the firewall allows these sessions.
- (GlobalProtect only)Block sessions if the certificate was not issued to the authenticating device.If you select this option, the firewall blocks sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint.
- Block sessions with expired certificates.
- ClickOK, thenCommityour changes.