Configure Certificate Profiles

Overview

Certificate profiles in PAN-OS define how the firewall verifies client certificates for authentication purposes. They specify which Certificate Authority (CA) certificates to trust, how to check for certificate revocation, and how to handle various certificate validation scenarios.

Use Cases

• Authentication Portal
• Multi-Factor Authentication (MFA)
• GlobalProtect VPN
• Site-to-Site IPSec VPN
• External Dynamic List (EDL) validation
• Dynamic DNS (DDNS)
• User-ID Agent and Terminal Server (TS) Agent access
• Web interface access to firewalls or Panorama

Configuration Steps

1. Obtain CA Certificates:
   • Generate a self-signed root CA certificate on the firewall.
   • Import a certificate from your enterprise CA.
2. Create a Certificate Profile:
   • Navigate to Device > Certificate Management > Certificate Profile .
   • Click Add to create a new profile.
   • Enter a unique Name for the profile.
   • Select the appropriate Location (vsys or Shared).
3. Assign CA Certificates:
   • In the CA Certificates section, click Add .
   • Select an existing CA certificate or import a new one.
4. Configure Certificate Verification Settings:
   • Enable Use CRL to check the Certificate Revocation List.
   • Enable Use OCSP to use the Online Certificate Status Protocol.
   • If both are enabled, the firewall checks OCSP first, then falls back to CRL if OCSP is unavailable.
   • Set CRL Receive Timeout and OCSP Receive Timeout (1-60 seconds).
   • Set Certificate Status Timeout to define how long the firewall waits for a status response.
   • Optionally, configure:
     • Block session if certificate status is unknown
     • Block sessions if certificate status cannot be retrieved within timeout
     • Block sessions if the certificate was not issued to the authenticating device (GlobalProtect only)
5. Specify Username Field:
   • Choose the certificate field to extract the username:
     • Subject – Common Name (CN)
     • Subject Alternative Name (SAN) – Email or Principal Name
     • None – Typically used for device or pre-logon authentication
6. Define Domain:
   • Enter the NetBIOS domain to map users through User-ID.
7. Commit Changes:
   • Click OK to save the profile.
   • Commit the configuration to apply changes.

Best Practices

• Enable both OCSP and CRL to ensure robust certificate revocation checking.
• Set appropriate timeout values to balance security and user experience.
• Regularly update and manage CA certificates to maintain trust relationships.
• Use descriptive names for certificate profiles to easily identify their purpose.

References

• Configure a Certificate Profile
• Device > Certificate Management > Certificate Profile