topic &quot;The Block Private Key Export&quot; option - Strange Behavior in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-the-block-private-key-export-quot-option-strange-behavior/m-p/572914#M2424 <P>I read the following explanation about the&nbsp;"The Block Private Key Export" option :&nbsp; You can permanently block the export of private keys for certificates when you generate them in or import them into PAN-OS or Panorama.</P> <P>&nbsp;</P> <P>I tested this option for the certificate generated by an external CA as shown below:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 491px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56472i03FC03B6B6912442/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P> <P>&nbsp;</P> <P>I submitted the CSR to the CA server using a template to generate a Subordinate CA so that the Firewall will be able to use it for SSL Decryption for outbound SSL traffic.</P> <P>&nbsp;</P> <P>When I upload the certificate, <SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">notice the&nbsp;missing icon that would indicate that the&nbsp;private key <STRONG>can</STRONG> be exported</SPAN></SPAN>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56473i685885C4359D9648/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp;</P> <P>Now when I export the certificate, the firewall invite me to export the private key and the export is successful.</P> <P>&nbsp;</P> <P>What's wrong?</P> <P>&nbsp;</P> <P>Because for the Self Signed Certificate, the "The Block Private Key Export" option works fine as shown below:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture d'écran 2024-01-12 230321.png" style="width: 854px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56474i9F136DCBE2FD7999/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture d'écran 2024-01-12 230321.png" alt="Capture d'écran 2024-01-12 230321.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="6.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56475i3C2852EABC0E3362/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> Fri, 12 Jan 2024 22:10:57 GMT rmeddane 2024-01-12T22:10:57Z "The Block Private Key Export" option - Strange Behavior https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-the-block-private-key-export-quot-option-strange-behavior/m-p/572914#M2424 <P>I read the following explanation about the&nbsp;"The Block Private Key Export" option :&nbsp; You can permanently block the export of private keys for certificates when you generate them in or import them into PAN-OS or Panorama.</P> <P>&nbsp;</P> <P>I tested this option for the certificate generated by an external CA as shown below:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 491px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56472i03FC03B6B6912442/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P> <P>&nbsp;</P> <P>I submitted the CSR to the CA server using a template to generate a Subordinate CA so that the Firewall will be able to use it for SSL Decryption for outbound SSL traffic.</P> <P>&nbsp;</P> <P>When I upload the certificate, <SPAN><SPAN class="richTextArea slds-text-longform tile__title red-txt">notice the&nbsp;missing icon that would indicate that the&nbsp;private key <STRONG>can</STRONG> be exported</SPAN></SPAN>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56473i685885C4359D9648/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp;</P> <P>Now when I export the certificate, the firewall invite me to export the private key and the export is successful.</P> <P>&nbsp;</P> <P>What's wrong?</P> <P>&nbsp;</P> <P>Because for the Self Signed Certificate, the "The Block Private Key Export" option works fine as shown below:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Capture d'écran 2024-01-12 230321.png" style="width: 854px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56474i9F136DCBE2FD7999/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Capture d'écran 2024-01-12 230321.png" alt="Capture d'écran 2024-01-12 230321.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="6.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56475i3C2852EABC0E3362/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> Fri, 12 Jan 2024 22:10:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/quot-the-block-private-key-export-quot-option-strange-behavior/m-p/572914#M2424 rmeddane 2024-01-12T22:10:57Z