Import a Certificate and Private Key
Updated on
Wed Aug 21 20:47:37 UTC 2024
Focus
Download PDF
Updated on
Wed Aug 21 20:47:37 UTC 2024
Focus
- Home
- PAN-OS
- Certificate Management
- Obtain Certificates
- Import a Certificate and Private Key
Download PDF
Table of Contents
End-of-Life (EoL)
If your enterprise has its own public keyinfrastructure (PKI), you can import a certificate and private keyinto the firewall from your enterprise certificate authority (CA). EnterpriseCA certificates (unlike most certificates purchased from a trusted, third-partyCA) can automatically issue CA certificates for applications suchas SSL/TLS decryption or large-scale VPN.
Ona Palo Alto Networks firewall or Panorama, you can import self-signed certificatesonly if they are CA certificates.
Instead of importing a self-signedroot CA certificate into all the client systems, it is a best practiceto import a certificate from the enterprise CA because the clientswill already have a trust relationship with the enterprise CA, whichsimplifies the deployment.
If the certificate you will importis part of a certificate chain, it is a best practice to importthe entire chain.
From the enterprise CA, export the certificateand private key that the firewall will use for authentication.
When exporting a private key, you must enter a passphraseto encrypt the key for transport. Ensure the management system canaccess the certificate and key files. When importing the key ontothe firewall, you must enter the same passphrase to decrypt it.
Select
.Device
CertificateManagement
Certificates
DeviceCertificates
If the firewall has more than one virtual system (vsys),select a
Location
(vsys orShared
)for the certificate.Click
Import
and enter aCertificateName
. The name is case-sensitive and can have up to63 characters on the firewall or up to 31 characters on Panorama.It must be unique and use only letters, numbers, hyphens, and underscores.To make the certificate available to all virtual systems,select the
Shared
check box. This check boxappears only if the firewall supports multiple virtual systems.Enter the path and name of the
CertificateFile
received from the CA, orBrowse
tofind the file.Select a
File Format
:Encrypted Private Key and Certificate(PKCS12)
—This is the default and most common format,in which the key and certificate are in a single container (CertificateFile
). If a hardware security module (HSM) will storethe private key for this certificate, select thePrivatekey resides on Hardware Security Module
check box.Base64 Encoded Certificate (PEM)
—Youmust import the key separately from the certificate. If a hardwaresecurity module (HSM) stores the private key for this certificate,select thePrivate key resides on Hardware Security Module
check boxand skip the next step. Otherwise, select theImportPrivate Key
check box, enter theKey File
orBrowse
toit, then continue to the next step.(
Panoramamanaged firewalls
) You are required to
Import PrivateKey
if you enabledBlock Private Key Export
whenthe certificate was generated to successfullypush configuration changes from the Panorama management server tomanaged firewalls.
Enter and re-enter (confirm) the
Passphrase
usedto encrypt the private key.Click
OK
. The Device Certificatespage displays the imported certificate.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}