Block Export of Private Keys
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Block Export of Private Keys
Prevent the export of private keys to secure certificates
on PAN-OS devices.
You can now permanently block the export of private keys for
certificates to harden your security posture and prevent rogue administrators
or other bad actors from misusing keys. You can block keys when
you generate them in or import them into Panorama and PAN-OS, but
you cannot block keys that already exist on a device.
If you use an enterprise Public Key Infrastructure
(PKI) to generate certificates and private keys, block the export
of private keys because you can install them on new firewalls and
Panoramas from your enterprise certificate authority (CA), so there
is no reason to export them from PAN-OS.
You can generate and block keys, import and block keys, block
a key for IKE gateway authentication, and verify that the key is
blocked:
- To generate and block a private key from export:
- Select DeviceCertificate ManagementCertificatesDevice Certificates. If there is more than one virtual system, select a Location or Shared for the certificate.
- Generate the certificate.
- Select Block Private Key Export. See Generate a Certificate for information about the other certificate fields.
- Click Generate to generate the new certificate.
- To import and block a private key from export:
- Select DeviceCertificate ManagementCertificatesDevice Certificates. If there is more than one virtual system, select a Location or Shared for the certificate.
- Import the certificate.
- Select Import Private Key.
- Select Block Private Key Export. See Import a Certificate and Private Key for information about the other certificate import fields.
- Click OK to import the certificate.If you use the SCP operational CLI command to import a certificate or to import a private key for a certificate, you can still block export of the private key:
scp import private-key block-private-key ...
scp import certificate block-private-key ...
These CLI commands include keywords to specify the source, the certificate name, and other parameters that are not shown.
- To block a private key from export for IKE Gateway Authentication:
- Select NetworkNetwork ProfilesIKE Gateways.
- Add a new IKE Gateway.
- On the General tab, for Authentication, select Certificate.
- For Local Certificate select Import or Generate depending on whether you want to import an existing certificate or create a certificate.
- Enter the certificate information. If you are importing the certificate, select Import Private Key to activate the Block Private Key Export checkbox.
- Select Block Private Key Export to prevent anyone from exporting the key.For importing a certificate, enter and confirm the Passphrase and then click OKFor generating a certificate, click Generate.
- Enter the Passphrase, confirm it, and then click OK.
- To verify that a private key is blocked from export:
- Check the Key column in DeviceCertificate ManagementCertificatesDevice Certificates.The forward-untrust-certificate is not blocked and the forward-trust-certificate is blocked:
- When you attempt to export a certificate whose private key is blocked, the Export Private Key checkbox is not available and you can’t export the key.