: Use Azure Key Vault to Store VM-Series Certificates
Focus
Focus

Use Azure Key Vault to Store VM-Series Certificates

Table of Contents

Use Azure Key Vault to Store VM-Series Certificates

Integrate cloud native key managers to store certificates.
You can integrate cloud native key managers to store certificates. Private keys used for certificates are not stored on a firewall’s hard drive, thereby eliminating security problems. Administrators retain certificates and private keys in cloud storage. The firewall uses Azure Key Vault to retrieve the certificates and private keys from cloud storage, and uses them for features like decryption and IPSec.
Only VM-Series firewalls are supported to enable certificate retrieval via Azure Key Vault. If you are using Key Vault certificates, you cannot downgrade to an earlier version of PAN-OS.
For outbound and inbound decryption, upload the certificates to the native key manager and provide the required access permissions to the NGFW. A NGFW on a public cloud can use Key Vault for storing certificates. With such cases, the required access management policies are configured, using PAN-OS or the CLI, for the same instances.
For environments using autoscaling, an instance boots up in a state with the necessary certificates retrieved and ready to decrypt traffic without additional manual configuration.
When a certificate is updated in the cloud it must be re-imported as a new certificate onto the firewall. You must assign IAM roles to an instance in order to enable the instance to retrieve certificates from the Azure Key Vault store. The IAM role must have Get permission for Secrets on Azure Key Vault.
You can retrieve certificates from the Key Vault’s Certificate Store, not its Secrets section. PEM is the only supported format. PKCS12 or chained certificate is not supported.
All certificates are deleted when a master key changes, and then re-fetched upon commit. When the configuration is synchronized to the passive firewall under HA, the certificate is automatically downloaded by the management daemon on the passive firewall. As a result, the certificate itself is not synchronized.
  1. Download a certificate.
  2. Create a Key Vault on Azure in the same resource group where your VM-Series firewall is deployed. Use the Key Vault where you stored the certificate (public and private key) in PEM format.
    Upload the certificate and private key together in .pem format.
  3. After you create the Key Vault, under Access Policies, click Create and add the Managed Identity.
  4. Return to your resource group and select the VM-Series firewall. Click Identity > User Assigned and add the Managed Identity.
    Permissions in the Managed Identify must also be provided to Key Vault.
  5. Return to your Key Vault and select Certificates. Import your certificate PEM file.
    Certificates must be kept in PEM format in Key Vault > Certificates.
  6. Log into the VM-Series firewall.
  7. Select Device > Certificate Management > Certificates > Import.
    If you want to import a ECDSA certificate, modify the private key:
    ----Begin EC PRIVATE KEY----
    &
    ----END EC PRIVATE KEY----
    To
    ----BEGIN PRIVATE KEY----
    &
    ----END PRIVATE KEY----
    If you want to import a PEM certificate, modify the private key:
    ----BEGIN PRIVATE KEY----
    &
    ----END PRIVATE KEY----
  8. Under Cloud, enter the certificate name and set the file format to PEM.
  9. Select Cloud as the Certificate Type, then configure the following fields:
    1. Enter the Certificate Name; copy this from the Key Vault in the Azure Portal.
    2. Choose Azure from the Cloud Platform drop-down.
    3. Enter the Azure Key Vault URI to specify the location of the Key Vault; copy this from the Key Vault in the Azure Portal.
    4. Enter the Cloud Secret Name. This is used to store the certificate in Azure Key Vault.
    5. You can specify the Algorithm in the Certificate Information screen. Choose the algorithm for your configuration, either RSA or Elliptical Curve DSA. By default, the algorithm is set to use RSA. Configure the certificate to use either Forward Trust Certificate, Forward Untrust Certificate, or Trusted Root CA. You can alternately select all algorithms for the certificate.
    6. Click OK.
    7. Commit your changes.
  10. Verify that the certificate was added successfully:
    1. Select Device > Certificate Management > Certificates.
    2. Your new certificate should be listed.
    Certificate details are not displayed in the Certificates
    screen. To view this information in the CLI, use the command:
    show shared certificate <cert-name>
    You can confirm configuration of certificate integration in Panorama. Use the Device Certificate window to determine if the certificate is used. Keep in mind that because data is not stored in the running configuration (the hard drive), all fields in the Device Certificates table are empty, except for the Usage field (if configured) and the Cloud Secret Name.