Import a Certificate and Private Key
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Import a Certificate and Private Key
If your enterprise has its own public key infrastructure (PKI), you can import
a certificate and private key into the firewall from your enterprise certificate
authority (CA). Enterprise CA certificates (unlike most certificates purchased from
a trusted, third-party CA) can automatically issue CA certificates for applications
such as SSL/TLS decryption or large-scale VPN.
On
a Palo Alto Networks firewall or Panorama, you can import self-signed certificates
only if they are CA certificates.
Instead of importing a self-signed
root CA certificate into all the client systems, it is a best practice
to import a certificate from the enterprise CA because the clients
will already have a trust relationship with the enterprise CA, which
simplifies the deployment.
If the certificate you will import
is part of a certificate chain, it is a best practice to import
the entire chain.
- From the enterprise CA, export the certificate and private key that the firewall will use for authentication.When exporting a private key, you must enter a passphrase to encrypt the key for transport. Ensure the management system can access the certificate and key files. When importing the key onto the firewall, you must enter the same passphrase to decrypt it.
- Select.DeviceCertificate ManagementCertificatesDevice Certificates
- If the firewall has more than one virtual system (vsys), select aLocation(vsys orShared) for the certificate.
- ClickImportand enter aCertificate Name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
- To make the certificate available to all virtual systems, select theSharedcheck box. This check box appears only if the firewall supports multiple virtual systems.
- Enter the path and name of theCertificate Filereceived from the CA, orBrowseto find the file.
- Select aFile Format:
- Encrypted Private Key and Certificate (PKCS12)—This is the default and most common format, in which the key and certificate are in a single container (Certificate File). If a hardware security module (HSM) will store the private key for this certificate, select thePrivate key resides on Hardware Security Modulecheck box.
- Base64 Encoded Certificate (PEM)—You must import the key separately from the certificate. If a hardware security module (HSM) stores the private key for this certificate, select thePrivate key resides on Hardware Security Modulecheck box and skip the next step. Otherwise, select theImport Private Keycheck box, enter theKey FileorBrowseto it, then continue to the next step.(Panorama managed firewalls) You are required toImport Private Keyif you enabledBlock Private Key Exportwhen the certificate was generated to successfully push configuration changes from the Panorama management server to managed firewalls.
- (SD-WAN IKEv2 Certificate Authentication Support) (Beginning with SD-WAN 3.2.0 Release)Multiple Certificates (.tar)—Contains multiple certificates archived in a tar format.Use CSV file to bulk import the certificates into the Panorama management server. Follow these steps if you selectMultiple Certificates (.tar).
- Download Sample CSVto download and save theCertificates.CSVtemplate. Populate the template with certificate related information: certificate name, format, passphrase, block private key, and file name.Following is a sampleCertificates.CSV:
- Enter the certificatefile namewith an extension. Thefile nameshould exactly match the certificate that you will be uploading to the device.
- All the certificate fields are case-sensitive except theformatandpassphrasefield.
- To import multiple certificates, archive all the certificates and the populatedCertificates.CSVfile in .tar format.Browseand select a.tar fileto bulk import theCertificate File. Certificate format .PKCS12 is supported. The size of the archive(.tar) file should be less than 10MB. Ensure that the extension of the tar file is.tar.All the certificates must be signed by the same CA within the SD-WAN VPN cluster. You must import the CA certificate along with the device certificate. Device certificate must be directly signed by the root CA (no intermediate certificates are allowed).
- You must commit after bulk import for the certificates to be available for further configuration.
- Enter and re-enter (confirm) thePassphraseused to encrypt the private key.
- ClickOK. The Device Certificates page displays the imported certificate.