How to Configure Certificate-based Authentication for the WebGUI

Printer Friendly Page



This article provides the steps to configure certificate-based authentication to the Palo Alto Networks web interface.

Note: After enabling this authentication, all username/password logins are disabled for all administrators.  Administrators must  be issued certificates in order to log in.



Links to Latest Procedures:

 For the latest procedures, see the following topics in the user guides:





1.     Generate a CA.

Go to Device > Certificates > click Generate > ensure CA is checked.



2.     Create the Client Certificate Profile.

Go to Device > Client Certificate Profile > click Add > change Username to Subject, and the next field will be common-name. Also, add the CA created in Step 1.



3.     Set Client Certificate Profile for Authentication Settings.

Go to the Device > Setup > Click to edit the Authentication Settings Window > assign the Client Certificate Profile created in Step 2.



4    Create an Admin with client certificate authentication setting checked.

     Go to Device > Administrators > Click Add. Ensure the option to use only client certificate authentication (Web) is checked.




5.     Create the client certificate for the newly created Administrator.

Go to Device > Certificates > Generate

Ensure that the certificate is signed by the CA created in Step 1.

Verify that the common name field has the Administrators’s name created in Step 4.



6.         Export the  Administrators Client Cert.

                       Go to the Device > Setup.

                       In the Certificates section, check the client Cert’s checkbox.

                       Click Export. 

                       Verify that  the  File  Format is PKCS12 -> Enter a passphrase.   




7.      Commit.

The following message is displayed:



8.      Import the Administrator's  Client Certificate into the browser (Firefox for demo).

Go to the Firefox options menu.

Click View Certificates.

Click Import

Point  to the Admin’s Client Cert previously exported.

Enter passphrase.




9.      Go to the Palo Alto’s WebGUI (ensure HTTPS is enabled on the interface).

Choose the Client Certificate.




10.      This warning will display because the Cert isn't trusted.

Add the exception.



11.      Click Login.



Tags (4)

Can you use your own certificates generated in your enteprise CA for WebUI authentication?

Best regards,

This appears to be dated and needs to be updated with current UI options please.

I get the following error when I access the WebUI after enabling cert authentication.

"400 Bad Request - No required SSL certificate was sent". What could be the issue?

@EdwardWaithakaDid you ever find a solution to that cert issue?  I'm experiencing the same on PANOS 8.0

@nicko, You are getting the same issue as Edward?



You are trying to use a cert for the WebGUI as well as one for Authentication? Or just for Authentication?

Just trying to clarify here.


Same issue as @EdwardWaithaka and @nicko