Can PAN device publish client certificates?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Can PAN device publish client certificates?

L5 Sessionator

I made 5 users into LocalDB, and I configured GlobalProtect Portal & Gateway.

It works fine so far.

Now I want to generate 5 client certificates for each user and use Client Cert Profile and Local DB as two factor auth. when I connect to GP.

My PANOS is 5.0. Is it possible to publish client certs?

I could confirm I can configure CA under Device tab > Certificate Management > Certificates.

But I think I CANNOT generate client certs using this CA.

If I'm wrong, please correct me and tell me how to.

If I'm correct, I'll prepare Windows 2008 or 2012 server for CA and client certs.




L4 Transporter


you can generate client cert with the ca cert created on the palo.

but you can't published directly the client cert

you need to export it and install on the client device.

otherwise you could you use your microsoft active directory to generate the client cert and published it by gpo.



Thank you for your reply.

I could generate client cert and successfully auth'ed by client certificate.

I have one more question.

I generated two certs, and confirmed both certs works fine.

Afterward, I revoked one cert, though I can still login to GP Portal using user002.

Doesn't it revoke just after I hit 'revoke' from GUI? (I mean do I need to wait few minutes? hours?)

Do you have any idea?



I dont think Portal authentication will have the second factor check of the 'client certificate'.

I think a valid test after revoking the client cert would to try and connect to the gateway and see the results.



you can do it.

Use the OCSP Responder (Online Certificate Status Protocol Responder) page to define a server that will be used to verify the revocation status of certificates issues by the PAN-OS device. When generating new certificates, you can specify the OCSP Responder that will be used.

you can do that with CRL too.

To enable OCSP, go to Device > Setup > Sessions and under Sessions Features click Decryption Certificate Revocation Settings.

and create a management profile with HTTP OCSP feature enable and bind it to the ingress interface.


  • 4 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!