Device > Certificate Management > Certificate Profile
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Device > Certificate Management > Certificate Profile
- DeviceCertificate ManagementCertificate Profile
- PanoramaCertificate ManagementCertificate Profile
Certificate profiles define which certificate authority (CA) certificates to use for
verifying client certificates, how to verify certificate revocation status, and how that
status constrains access. You select the profiles when configuring certificate
authentication for Authentication Portal, GlobalProtect, site-to-site IPSec VPN, Dynamic
DNS (DDNS), and web interface access to firewalls and Panorama. You can configure a
separate certificate profile for each of these services.
Certificate Profile Settings
|
Description
|
---|---|
Name
|
(Required) Enter a name to identify the profile (up to 63
characters on the firewall or up to 31 characters on Panorama). The
name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores.
|
Location
|
Select the scope in which the profile is available. In the context of
a firewall that has more than one virtual system (vsys), select a
vsys or select Shared (all virtual systems).
In any other context, you can’t select the
Location; its value is predefined as
Shared (firewalls) or as Panorama. After you save the
profile, you can't change its Location.
|
Username Field
|
If GlobalProtect only uses certificates for portal and gateway
authentication, the PAN-OS software uses the certificate field you
select in the Username Field drop-down as the
username and matches it to the IP address for the User-ID
service:
|
Domain
|
Enter the NetBIOS domain so the PAN-OS software can map users through
User-ID.
|
CA Certificates
|
(Required) Add a CA
Certificate to assign to the profile.
Optionally, if the firewall uses Online Certificate Status Protocol
(OCSP) to verify certificate revocation status, configure the
following fields to override the default behavior. For most
deployments, these fields do not apply.
In addition, enter a Template Name to identify
the template that was used to sign the certificate.
|
Use CRL
|
Select this option to use a certificate revocation list (CRL) to
verify the revocation status of certificates.
|
Use OCSP
|
Select this option to use OCSP to verify the revocation status of
certificates.
If you select both OCSP and CRL, the firewall first tries OCSP
and only falls back to the CRL method if the OCSP responder is
unavailable. |
CRL Receive Timeout
|
Specify the interval (1 to 60 seconds) after which the firewall stops
waiting for a response from the CRL service.
|
OCSP Receive Timeout
|
Specify the interval (1 to 60 seconds) after which the firewall stops
waiting for a response from the OCSP responder.
|
Certificate Status Timeout
|
Specify the interval (1 to 60 seconds) after which the firewall stops
waiting for a response from any certificate status service and
applies any session blocking logic you define.
|
Block session if certificate status is unknown
|
Select this option if you want the firewall to block sessions when
the OCSP or CRL service returns a certificate revocation status of
unknown. Otherwise, the firewall proceeds with the
sessions.
|
Block sessions if certificate status cannot be retrieved within
timeout
|
Select this option if you want the firewall to block sessions after
it registers an OCSP or CRL request timeout. Otherwise, the firewall
proceeds with the sessions.
|
Block sessions if the certificate was not issued to the
authenticating device
|
(GlobalProtect only) Select this option if you want the
firewall to block sessions when the serial number attribute in the
subject of the client certificate does not match the host ID that the
GlobalProtect app reports for the endpoint. Otherwise, the firewall
allows the sessions. This option applies only to GlobalProtect certificate
authentication.
|
Block sessions with expired certificates | Select this option if you want the firewall to block sessions with servers that present expired certificates. |