Block Private Key Export
Prevent the export of private keys to secure certificates
on PAN-OS devices.
You can permanently block the export
of private keys for certificates when you generate them in or import
them into PAN-OS or Panorama. Blocking the export of private keys
from your PAN-OS devices hardens your security posture because it
prevents rogue administrators or other bad actors from misusing
keys. Administrators with roles that include certificate management
can block the export of private keys. You can’t block keys that
already exist on a device; you can only block keys at the time that
you generate them in or import them into PAN-OS.
When an administrator blocks the export of a private key, no
administrator can export that key, not even Superuser administrators.
If you need to export a private key from a PAN-OS appliance, regenerate
the certificate and the key without selecting the option to block
private key export.
Blocking the export of private keys is supported on PAN-OS
version 10.1 or later releases. The push fails if you block the export of a private
key for a certificate on Panorama running PAN-OS version 10.1 or later and attempt
to push the configuration to a firewall running PAN-OS version earlier than 10.1.
To downgrade to an earlier version of PAN-OS, you must first
delete the certificates whose private keys are blocked. If you don’t
delete the certificates whose private keys are blocked before you
attempt to downgrade, an error message asks you to delete those
certificates. You can’t downgrade until you delete them. After you
downgrade, reimport or regenerate the deleted certificates if you
need them.
If you use an enterprise Public Key Infrastructure
(PKI) to generate certificates and private keys, block the export
of private keys because you can install them on new firewalls and
Panoramas from your enterprise certificate authority (CA), so there
is no reason to export them from PAN-OS.
If you generate
self-signed certificates on the firewall or Panorama and apply the
block private key export option, you can’t export the certificate
and key to other PAN-OS appliances.
You can export and import the device state ()
even if you block the export of private keys. We include the private
keys in
device state imports and exports,
but administrators can’t read or decode them.