Configure a Certificate Profile
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure a Certificate Profile
Certificate profiles define user and device authentication for Authentication
Portal, multi-factor authentication (MFA), GlobalProtect, site-to-site IPSec VPN,
external dynamic list validation, dynamic DNS (DDNS), User-ID agent and TS agent
access, and web interface access to Palo Alto Networks firewalls or Panorama. The
profiles specify which certificates to use, how to verify certificate revocation
status, and how that status constrains access. Configure a certificate profile for
each application.
Enable Online Certificate Status Protocol
(OCSP) and certificate revocation list (CRL) status verification in certificate
profiles to verify that a certificate hasn’t been revoked. Enable both OCSP and CRL
so that if the OCSP server isn’t available, the firewall uses CRL. For details on
these methods, see Certificate Revocation.
- Obtain the certificate authority (CA) certificates you will assign to the profile.Assign at least one certificate to a certificate profile. Choose one of the following options to obtain the CA certificates you will assign to the profile.
- Generate a certificate.
- Export a certificate from your enterprise CA, then import it onto the firewall (refer to step 3.2).
Identify the certificate profile.- Select DeviceCertificate ManagementCertificate Profile, and then Add a profile.Enter a Name to identify the profile.The name is case-sensitive, must be unique, and can use up to 63 characters on the firewall or up to 31 characters on Panorama. Only letters, numbers, spaces, hyphens, and underscores are allowed.If the firewall has more than one virtual system (vsys), select a Location (vsys or Shared) for the certificate.Assign one or more certificates to the profile.Repeat the following steps for each CA certificate:
- In the CA Certificates table, click Add.Select a CA Certificate.Alternatively, you can Import a certificate. To import a certificate, enter a Certificate Name, Browse for a Certificate File you exported from an enterprise CA, and then click OK.(Optional) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.
- By default, the firewall uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a Default OCSP URL (starting with http:// or https://).
- By default, the firewall uses the certificate selected in the CA Certificate field to validate OCSP responses. To use a different certificate for validation, select it in the OCSP Verify CA Certificate field.
Click OK. The CA Certificates table displays the assigned certificate.Define the methods for verifying certificate revocation status and the associated blocking behavior.- Select Use CRL or Use OCSP. If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.Depending on the verification method, specify a CRL Receive Timeout or OCSP Receive Timeout value in seconds (range is 1 to 60).After these intervals, the firewall stops waiting for a response from the CRL or OCSP service.Specify a Certificate Status Timeout in seconds (range is 1 to 60).After this interval, the firewall stops waiting for a response from either certificate status service and applies any session-blocking logic you define. The Certificate Status Timeout relates to the OCSP or CRL Receive Timeout setting as follows:
- If you enable both OCSP and CRL, the firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the aggregate of the two Receive Timeout values.
- If you enable only OCSP, the firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the OCSP Receive Timeout value.
- If you enable only CRL, the firewall registers a request timeout after the lesser of two intervals passes: the Certificate Status Timeout value or the CRL Receive Timeout value.
Block sessions if certificate status is unknown.If you select this option, the firewall blocks sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall allows these sessions.Block sessions if certificate status cannot be retrieved within timeout.If you select this option, the firewall blocks sessions after the firewall registers the timeout of an OCSP or CRL request. Otherwise, the firewall allows these sessions.(GlobalProtect only) Block sessions if the certificate was not issued to the authenticating device.If you select this option, the firewall blocks sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint.Block sessions with expired certificates.Click OK, then Commit your changes.