Support for 4,096-bit RSA Certificates
The firewall and Panorama now support RSA certificates with 4,096-bit keys, which are more secure than smaller keys. You can use these certificates to authenticate clients, servers, users, and devices in multiple applications, including Captive Portal, GlobalProtect, site-to-site IPSec VPN, and web interface access.
The maximum key size is 3,072 bits for certificates that you generate on firewalls in FIPS mode. For certificates that are used in two-factor GlobalProtect authentication, the RSA keys must be 2,048 bits or 3072 bits.
Generate a 4,096-bit RSA Certificate
Select Device > Certificate Management > Certificates > Device Certificates and Generate a new certificate.
Select Local and enter a Certificate Name.
Specify the Common Name —either the FQDN ( recommended ) or the IP address of the interface on which you will configure the service that will use this certificate.
Select Certificate Authority (CA) if this is a CA certificate. Otherwise, from the Signed By drop-down, select the root CA certificate that will issue this certificate.
Set the Algorithm to RSA (default) and the Number of Bits to 4096.
Select the Digest algorithm (default is sha256).
Enter the Expiration period, which is the number of days for which the certificate is valid (default is 365).
Generate the certificate.
Click the certificate Name in the Device Certificates tab to edit it.
Select the usage description(s) that correspond to the intended use of the certificate.
Click OK and Commit.

Related Documentation