This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Understand the "Block Private Key Export" option with three scenarios

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Understand the "Block Private Key Export" option with three scenarios

rmeddane
L2 Linker

‎01-13-2024 07:06 AM - edited ‎01-13-2024 07:18 AM

Capture d'écran 2024-01-13 155814.png

 

The firewall uses a certificate with the role of CA Certificate of Authority to perform SSL Decryption for outbound traffic.

 

There are three methods to generate this certificate.

 

  1. Method 1 : You can use a self-signed certificate. The firewall will generate a Certificate with the Public / Private keys automatically without involving an external CA.

 

  1. Method 2 : Using an external CA. The firewall generates a CSR Certificate Signed Request with the Public/Private keys, then you submit only the CSR / Public key, while the Private key is kept on the firewall, finally you upload the generate certificate with the embedded Public key.

 

  1. Method 3 : Using an external CA. You generate the CSR or the certifcate with the Public / Private keys. Then you upload the Certificate with the Public / Private Key.

 

The « Block Private Key Export » option on the firewall allows the administrators to prevent rogue admins to export the private key, keeping it security on the firewall.

 

Let’s see with which method does the « Block Private Key Export » work ?

 

Method 1

 

Generate a Self Signed Certificate, to be able to perform SSL Decryption for outbound traffic, check the Certificate Authority option.

To prevent the private key to be exported, check the Block Private Key Export option.

 

rmeddane_0-1705158156795.jpeg

 

The self signed certificate is generated automatically.

 

rmeddane_1-1705158156797.jpeg

Select the certificate and click on the Export Certficate button.

The firewall does not include the option to export the private key because the Block Private Key Export option is enabled.

 

rmeddane_2-1705158156803.jpeg

 

 

Method 2

 

Generate a Certificate Signing Request CSR using the option Signed by External Autthority (CSR) and check the Block Private Key Export option.

 

The CSR contains only the Public key, the Private key is kept in the firewall.

 

rmeddane_3-1705158156815.jpeg

 

 

The CSR is in the state of pending, waiting to submit it into an external CA.

 

Click the Export Certificate button to export the CSR.

 

rmeddane_4-1705158156819.jpeg

 

rmeddane_5-1705158156830.jpeg

 

 

Access the CA-1 server, and submit the CSR, you need to select the Certificate Template Subordinate Certificate Authority to make this certificate as a CA so that the firewall can use it to sign the spoofed server certificate.

 

rmeddane_6-1705158156839.jpeg

 

 

Retrieve the generated certificate from the CA-1 server and click on the Import button. In this scenario, the private key is kept the firewall so you dont need to use the Import Private Key option.

 

rmeddane_7-1705158156846.jpeg

 

 

Notice the icon below that indicates that the private key cannot be exported.

 

rmeddane_8-1705158156848.jpeg

 

 

But when you try to export the certificate, the firewall displays the option to export the Private key which confirms that the Block Private Key Export option didnt work with this method.

 

rmeddane_9-1705158156855.jpeg

 

 

Method 3

 

Access the CA-2 server command line, generate a certificate with the role CA. The CA-2 server generates the certificate including the public key and the Private key. With this method, you need to import both the certificate and the Private key into the firewall.

 

rmeddane_10-1705158156859.jpeg

 

 

Retrieves the Certifcate and the Private key as shown below.

 

rmeddane_11-1705158156860.jpeg

 

 

On the firewall, click the Import button, locate the Certificate and the Private key files.

Check the Block Private Key Export option.

 

rmeddane_12-1705158156862.jpeg

 

 

Notice the icon below that indicates that the private key cannot be exported. Click the Export Certifcate button.

 

rmeddane_13-1705158156870.jpeg

 

 

Notice that the firewall does not allow to export the Private key because the Block Private Key Export enabled.

 

rmeddane_14-1705158156874.jpeg

 

 

 

 

0 Likes Likes
0 REPLIES 0
  • 291 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks