PCI compliance ECDHE/RSA

Showing results for 
Show  only  | Search instead for 
Did you mean: 

PCI compliance ECDHE/RSA

L1 Bithead

There were a couple of discussions on this months ago with no resolution. SecureTrust's PCI scans say that we are failing. We would need to set both RSA and ECDHE to 2048 but there is no option to do so that I know of for the SSL/TLS profile.  The workaround that was discussed was to disable ECDHE and RSA.  However, among other possible issues, it breaks the app for Apple devices. 


Just wondering if anyone has come across a fix.


L4 Transporter

Hello @wicklunds 


Good evening, well if you use a SSL/TLS profile, associated with a custom certificate, self-signed, or signed by an internal CA. You can generate it with ECDSA with a 256 or 384 or RSA at least 512 to 4096, at least for those self-signed by Palo Alto, but then if it is an internal CA, it depends on what support you have to generate certificates.

And then this assign it to the firewall administration, to the Web-Gui, so that it responds that certificate.


Review this:




Best regards

High Sticker

Thanks for the reply.  I should have mentioned that this is for PCI compliance.  As I understand it the article you posted only allows an on/off toggle.  Our certificate is not self-signed.  I'll double check but I believe it was generated properly.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!