Focus

Configure the Key Size for SSL Forward Proxy Server Certificates

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Replace the Certificate for Inbound Management Traffic

Revoke and Renew Certificates

Configure the Key Size for SSL Forward Proxy Server Certificates

When responding to a client in an SSL Forward Proxy session, the firewall creates a copy of the certificate that the destination server presents and uses the copy to establish a connection with the client. By default, the firewall generates certificates with the same key size as the certificate that the destination server presented. However, you can change the key size for the firewall-generated certificate.

Changing key size settings clears the current certificate cache.

Select

Device

Setup

Session

and, in the Decryption Settings section, click

SSL Forward Proxy Settings

Edit the Forward Proxy Server Certificate Settings.

Select an

RSA Key Size

Defined by destination host

(default)—The firewall determines the key size and the hashing algorithm for the certificates it generates to establish SSL proxy sessions with clients based on the destination server certificate.

If the destination server uses a 1,024-bit RSA key, the firewall generates a certificate with a 1,024-bit RSA key.

If the destination server uses a key size larger than 1,024 bits (for example, 2,048 or 4,096 bits), the firewall generates a certificate with a 2,048-bit RSA key.

If the destination server uses the SHA-1 hashing algorithm, the firewall generates a certificate with the SHA-1 hashing algorithm.

If the destination server uses a hashing algorithm stronger than SHA-1, the firewall generates a certificate with the SHA-256 algorithm.

1024-bit RSA

—The firewall generates certificates that use a 1,024-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates.

As of December 31, 2013, public certificate authorities (CAs) and popular browsers have limited support for X.509 certificates that use keys of fewer than 2,048 bits. In the future, depending on security settings, when presented with such keys the browser might warn the user or block the SSL/TLS session entirely.

2048-bit RSA

—The firewall generates certificates that use a 2,048-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates. Public CAs and popular browsers support 2,048-bit keys, which provide better security than 1,024-bit keys.

3072-bit RSA

—The firewall generates certificates that use a 3,072-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates.

4096-bit RSA

—The firewall generates certificates that use a 4,096-bit RSA key and the SHA-256 hashing algorithm regardless of the key size of the destination server certificates.

Select an

ECDSA Key Size

Defined by destination host

(default)—The firewall generates certificates based on the key size that the destination server uses.

If the destination server uses an ECDSA 256-bit or 384-bit key, the firewall generates a certificate with that key size.

If the destination server uses a key size larger than 384 bits, the firewall generates a certificate with a 521-bit key.

256-bit ECDSA

—The firewall generates certificates with an ECDSA 256-bit key regardless of the key size that the destination server uses.

384-bit ECDSA

—The firewall generates certificates with an ECDSA 384-bit key regardless of the key size that the destination server uses.

Click

and

Commit

your changes.

Replace the Certificate for Inbound Management Traffic

Revoke and Renew Certificates

Next-Generation Firewall Docs

Configure the Key Size for SSL Forward Proxy Server Certificates

Next-Generation Firewall Docs

Configure the Key Size for SSL Forward Proxy Server Certificates

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner