This article provides the steps to configure certificate-based authentication to the Palo Alto Networks web interface.
Note: After enabling this authentication, all username/password logins are disabled for all administrators. Administrators must be issued certificates in order to log in.
For the latest procedures, see the following topics in the user guides:
1. Generate a CA.
Go to Device > Certificates > click Generate > ensure CA is checked.
2. Create the Client Certificate Profile.
Go to Device > Client Certificate Profile > click Add > change Username to Subject, and the next field will be common-name. Also, add the CA created in Step 1.
3. Set Client Certificate Profile for Authentication Settings.
Go to the Device > Setup > Click to edit the Authentication Settings Window > assign the Client Certificate Profile created in Step 2.
4 Create an Admin with client certificate authentication setting checked.
Go to Device > Administrators > Click Add. Ensure the option to use only client certificate authentication (Web) is checked.
5. Create the client certificate for the newly created Administrator.
Go to Device > Certificates > Generate
Ensure that the certificate is signed by the CA created in Step 1.
Verify that the common name field has the Administrators’s name created in Step 4.
6. Export the Administrators Client Cert.
Go to the Device > Setup.
In the Certificates section, check the client Cert’s checkbox.
Verify that the File Format is PKCS12 -> Enter a passphrase.
The following message is displayed:
8. Import the Administrator's Client Certificate into the browser (Firefox for demo).
Go to the Firefox options menu.
Click View Certificates.
Point to the Admin’s Client Cert previously exported.
9. Go to the Palo Alto’s WebGUI (ensure HTTPS is enabled on the interface).
Choose the Client Certificate.
10. This warning will display because the Cert isn't trusted.
Add the exception.
11. Click Login.
Can you use your own certificates generated in your enteprise CA for WebUI authentication?
This appears to be dated and needs to be updated with current UI options please.
I get the following error when I access the WebUI after enabling cert authentication.
"400 Bad Request - No required SSL certificate was sent". What could be the issue?
@EdwardWaithakaDid you ever find a solution to that cert issue? I'm experiencing the same on PANOS 8.0
@nicko, You are getting the same issue as Edward?
You are trying to use a cert for the WebGUI as well as one for Authentication? Or just for Authentication?
Just trying to clarify here.
Same issue as @EdwardWaithaka and @nicko