Focus

Configure a Certificate Profile

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Export a Certificate and Private Key

Configure an SSL/TLS Service Profile

Configure a Certificate Profile

Certificate profiles define user and device authentication for Authentication Portal, multi-factor authentication (MFA), GlobalProtect, site-to-site IPSec VPN, external dynamic list validation, dynamic DNS (DDNS), User-ID agent and TS agent access, and web interface access to Palo Alto Networks firewalls or Panorama. The profiles specify which certificates to use, how to verify certificate revocation status, and how that status constrains access. Configure a certificate profile for each application.

Enable Online Certificate Status Protocol (OCSP) and certificate revocation list (CRL) status verification in certificate profiles to verify that a certificate hasn’t been revoked. Enable both OCSP and CRL so that if the OCSP server isn’t available, the firewall uses CRL. For details on these methods, see Certificate Revocation.

Obtain the certificate authority (CA) certificates you will assign to the profile.

Assign at least one certificate to a certificate profile. Choose one of the following options to obtain the CA certificates you will assign to the profile.

Generate a certificate.

Export a certificate from your enterprise CA, then import it onto the firewall (refer to step 3.2).

Identify the certificate profile.

Select

Device

Certificate Management

Certificate Profile

, and then

Add

a profile.

Enter a

Name

to identify the profile.

The name is case-sensitive, must be unique, and can use up to 63 characters on the firewall or up to 31 characters on Panorama. Only letters, numbers, spaces, hyphens, and underscores are allowed.

If the firewall has more than one virtual system (vsys), select a

Location

(vsys or

Shared

) for the certificate.

Assign one or more certificates to the profile.

Repeat the following steps for each CA certificate:

In the CA Certificates table, click

Add

Select a

CA Certificate

Alternatively, you can

Import

a certificate. To import a certificate, enter a

Certificate Name

Browse

for a

Certificate File

you exported from an enterprise CA, and then click

(Optional
) If the firewall uses OCSP to verify certificate revocation status, configure the following fields to override the default behavior. For most deployments, these fields do not apply.

By default, the firewall uses the Authority Information Access (AIA) information from the certificate to extract the OCSP responder information. To override the AIA information, enter a

Default OCSP URL

(starting with

http://

https://

By default, the firewall uses the certificate selected in the

CA Certificate

field to validate OCSP responses. To use a different certificate for validation, select it in the

OCSP Verify CA Certificate

field.

Click

. The CA Certificates table displays the assigned certificate.

Define the methods for verifying certificate revocation status and the associated blocking behavior.

Select

Use CRL

Use OCSP

. If you select both, the firewall first tries OCSP and falls back to the CRL method only if the OCSP responder is unavailable.

Depending on the verification method, specify a

CRL Receive Timeout

OCSP Receive Timeout

value in seconds (range is 1 to 60).

After these intervals, the firewall stops waiting for a response from the CRL or OCSP service.

Specify a

Certificate Status Timeout

in seconds (range is 1 to 60).

After this interval, the firewall stops waiting for a response from either certificate status service and applies any session-blocking logic you define. The

Certificate Status Timeout

relates to the OCSP or CRL

Receive Timeout

setting as follows:

If you enable both OCSP and CRL, the firewall registers a request timeout after the lesser of two intervals passes: the

Certificate Status Timeout

value or the aggregate of the two

Receive Timeout

values.

If you enable only OCSP, the firewall registers a request timeout after the lesser of two intervals passes: the

Certificate Status Timeout

value or the OCSP

Receive Timeout

value.

If you enable only CRL, the firewall registers a request timeout after the lesser of two intervals passes: the

Certificate Status Timeout

value or the CRL

Receive Timeout

value.

Block sessions if certificate status is unknown

If you select this option, the firewall blocks sessions when the OCSP or CRL service returns a certificate revocation status of unknown. Otherwise, the firewall allows these sessions.

Block sessions if certificate status cannot be retrieved within timeout

If you select this option, the firewall blocks sessions after the firewall registers the timeout of an OCSP or CRL request. Otherwise, the firewall allows these sessions.

(GlobalProtect only)

Block sessions if the certificate was not issued to the authenticating device

If you select this option, the firewall blocks sessions when the serial number attribute in the subject of the client certificate does not match the host ID that the GlobalProtect app reports for the endpoint.

Block sessions with expired certificates

Click

, then

Commit

your changes.

Export a Certificate and Private Key

Configure an SSL/TLS Service Profile

Next-Generation Firewall Docs

Configure a Certificate Profile

Next-Generation Firewall Docs

Configure a Certificate Profile

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner