Device > Certificate Management > Certificates
Select Device > Certificate Management > Certificates > Device Certificates to manage (generate, import, renew, delete, and revoke) certificates, which are used to secure communication across a network. You can also export and import the high availability (HA) key that secures the connection between HA peers on the network. Select Device > Certificate Management > Certificates > Default Trusted Certificate Authorities to view, enable, and disable the certificate authorities (CAs) that the firewall trusts.
For more information on how to implement certificates on the firewall and Panorama, refer to Certificate Management .
Manage Firewall and Panorama Certificates
Select Device > Certificate Management > Certificates > Device Certificates or Panorama > Certificate Management > Certificates > Device Certificates to display the certificates that the firewall or Panorama uses for tasks such as securing access to the web interface, SSL decryption, or LSVPN.
The following are some uses for certificates. Define the usage of the certificate after you generate it (see Manage Default Trusted Certificate Authorities).
Forward Trust —The firewall uses this certificate to sign a copy of the server certificate that the firewall presents to clients during SSL Forward Proxy decryption when the certificate authority (CA) that signed the server certificate is in the trusted CA list on the firewall.
Forward Untrust —The firewall uses this certificate to sign a copy of the server certificate the firewall presents to clients during SSL Forward Proxy decryption when the CA that signed the server certificate is not in the trusted CA list on the firewall.
Trusted Root CA —The firewall uses this certificate as a trusted CA for SSL Forward Proxy decryption , GlobalProtect , URL Admin Override , and Captive Portal . The firewall has a large list of existing trusted CAs. The trusted root CA certificate is for additional CAs that your organization trusts but that are not part of the pre-installed trusted list.
SSL Exclude —The firewall uses this certificate if you configure decryption exceptions to exclude specific servers from SSL/TLS decryption.
Certificate for Secure Syslog —The firewall uses this certificate to secure the delivery of logs as syslog messages to a syslog server.
To generate a certificate, click Generate and specify the following fields.
Setting to Generate a Certificate Description
Certificate Type Select the entity that generates the certificate: Local —The firewall or Panorama generates the certificate. SCEP —A Simple Certificate Enrollment Protocol (SCEP) server generates the certificate and sends it to the firewall or Panorama.
Certificate Name (Required) Enter a name (up to 31 characters) to identify the certificate. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
SCEP Profile ( SCEP certificates only ) Select a SCEP Profile to define how the firewall or Panorama communicates with a SCEP server and to define settings for the SCEP certificate. For details, see Device > Certificate Management > SCEP. You can configure a firewall that serves as a GlobalProtect portal to request SCEP certificates on demand and automatically deploy the certificates to endpoints. The remaining fields in the Generate Certificate dialog do not apply to SCEP certificates. After specifying the Certificate Name and SCEP Profile, click Generate.
Common Name (Required) Enter the IP address or FQDN that will appear on the certificate.
Shared On a firewall that has more than one virtual system (vsys), select Shared if you want the certificate to be available to every vsys.
Signed By A certificate can be signed by a certificate authority (CA) certificate that has been imported in to the firewall or it can be self-signed where the firewall is the CA. If you are using Panorama, you also have the option of generating a self-signed certificate for Panorama. If you have imported CA certificates or have issued them on the firewall (self-signed), the drop-down includes the CAs available to sign the certificate that is being created. To generate a certificate signing request (CSR), select External Authority (CSR). The firewall generates the certificate and the key pair and you can then export the CSR.
Certificate Authority Select this option if you want the firewall to issue the certificate. Marking this certificate as a CA allows you to use this certificate to sign other certificates on the firewall.
OCSP Responder Select an OCSP responder profile from the drop-down (see Device > Certificate Management > OCSP Responder). The corresponding host name appears in the certificate.
Algorithm Select a key generation algorithm for the certificate— RSA or Elliptic Curve DSA (ECDSA). ECDSA uses smaller key sizes than the RSA algorithm, and therefore provides a performance enhancement for processing SSL/TLS connections. ECDSA also provides equal or greater security than RSA. ECDSA is recommended for client browsers and operating systems that support it. Otherwise, select RSA for compatibility with legacy browsers and operating systems. Firewalls that run releases before PAN-OS 7.0 will delete any ECDSA certificates that you push from Panorama, and any RSA certificates signed by an ECDSA certificate authority (CA) will be invalid on those firewalls.
Number of Bits Select the key length for the certificate. If the firewall is in FIPS-CC mode and the key generation Algorithm is RSA, the RSA keys generated must be 2048 or 3027 bits. If the Algorithm is Elliptic Curve DSA, both key length options ( 256 and 384) work.
Digest Select the Digest algorithm for the certificate. The available options depend on the key generation Algorithm: RSA MD5, SHA1, SHA256, SHA384, or SHA512 Elliptic Curve DSA SHA256 or SHA384 If the firewall is in FIPS-CC mode and the key generation Algorithm is RSA, you must select SHA256, SHA384, or SHA512 as the Digest algorithm. If the Algorithm is Elliptic Curve DSA, both Digest algorithms ( SHA256 and SHA384) work. Client certificates that are used when requesting firewall services that rely on TLSv1.2 (such as administrator access to the web interface) cannot have SHA384 (in releases before PAN-OS 7.1.8) or SHA512 as a digest algorithm. The client certificates must use a lower digest algorithm or you must limit the Max Version to TLSv1.1 when you configure SSL/TLS service profiles for the firewall services (see Device > Certificate Management > SSL/TLS Service Profile).
Expiration (days) Specify the number of days that the certificate will be valid. The default is 365 days. If you specify a Validity Period in a GlobalProtect satellite configuration, that value will override the value entered in this field.
Certificate Attributes Add additional Certificate Attributes to identify the entity to which you are issuing the certificate. You can add any of the following attributes— Country, State, Locality, Organization, Department, and Email. You can also specify one of the following Subject Alternative Name fields— Host Name (SubjectAltName:DNS), IP (SubjectAltName:IP), and Alt Email (SubjectAltName:email). To add a country as a certificate attribute, select Country from the Type column and then click into the Value column to see the ISO 6366 Country Codes.
If you configured a hardware security module (HSM), the private keys are stored on the external HSM storage, not on the firewall.
After you generate the certificate, the certificate details display on the page.
Supported Action to Manage Certificates Description
Delete Select the certificate and click Delete. If the firewall has a decryption policy, you cannot delete a certificate for which the usage is set to Forward Trust Certificate or Forward Untrust Certificate. To change the certificate usage, see Manage Default Trusted Certificate Authorities.
Revoke Select the certificate that you want to revoke, and click Revoke. The certificate will be instantly set to revoked status. No commit is required.
Renew In case a certificate expires or is about to expire, select the corresponding certificate and click Renew. Set the validity period (in days) for the certificate and click OK. If the firewall is the CA that issued the certificate, the firewall replaces it with a new certificate that has a different serial number but the same attributes as the old certificate. If an external certificate authority (CA) signed the certificate and the firewall uses the Online Certificate Status Protocol (OCSP) to verify certificate revocation status, the firewall uses the OCSP responder information to update the certificate status
Import To import a certificate, click Import and configure the fields as follows: Enter Certificate Name to identify the certificate. Browse to the certificate file. If you import a PKCS12 certificate and private key, a single file contains both. If you import a PEM certificate, the file contains only the certificate. Select the File Format for the certificate. Select Private key resides on Hardware Security Module if an HSM stores the key for this certificate. For HSM details, see Monitor > Automated Correlation Engine. Select Import private key if you also want to import the private key. If you selected PKCS12 as the certificate File Format, the selected Certificate File includes the key. If you selected the PEM format, browse to the encrypted private key file (generally named *.key). For both formats, enter the Passphrase and Confirm Passphrase.
Export Select the certificate you want to export, click Export, and select a File Format: Encrypted Private Key and Certificate (PKCS12) —The exported file will contain both the certificate and private key. Base64 Encoded Certificate (PEM) —If you want to export the private key also, select Export Private Key and enter a Passphrase and Confirm Passphrase. Binary Encoded Certificate (DER) —You can export only the certificate, not the key—ignore Export Private Key and passphrase fields.
Import HA Key The HA keys must be swapped across both the firewalls peers; that is the key from firewall 1 must be exported and then imported in to firewall 2 and vice versa. To import keys for high availability (HA), click Import HA Key and Browse to specify the key file for import. To export keys for HA, click Export HA Key and specify a location to save the file.
Export HA Key
Define the usage of the certificate In the Name column, select the certificate and then select options appropriate for how you plan to use the certificate.
Manage Default Trusted Certificate Authorities
Use this page to view, disable, or export, the pre-included certificate authorities (CAs) that the firewall trusts. For each CA, the name, subject, issuer, expiration date and validity status is displayed.
This list does not include the CA certificates generated on the firewall.
Trusted Certificate Authorities Setting Description
Enable If you have disabled a CA and want to re-enable it, click Enable.
Disable Select the CA you want to disable and then click Disable. You might use this option if you want to trust only specific CAs or you want to remove all of them and trust only your local CA.
Export Select and Export the CA certificate. You can do this to import into another system or to view the certificate offline.

Related Documentation