How to Create a Master Key on the CLI

How to Create a Master Key on the CLI

Created On 09/26/18 13:50 PM - Last Modified 06/09/23 03:07 AM



Master keys are used to encrypt the private keys which are on the Palo Alto Networks firewall. By default private keys are stored in encrypted form even if there is no new master key.



To verify if you have already set up a master key, run the >show system masterkey-properties command.

For example:

> show system masterkey-properties
Master key expires at: unspecified
Reminders will begin at: unspecified
Master key on hsm: no

The output above indicates that there is no master key created.


To create a new master key, run the following command:

> request master-key new-master-key <new_key_value> lifetime <lifetime_value>
    • The new master key should be a 64-bit encoded public key
    • The lifetime value is in hours (1-17520)


For example:

> request master-key new-master-key paloalto12345678 lifetime 1
Master key changed successfully. All key material has been re-encrpyted with
new master key and committed via jobid 12


Note: Once the master key is created, the Palo Alto Networks firewall will auto-commit. Prior to creating a new master key, make sure there is no changes pending to commit. Otherwise, the firewall will display the following error message:

Server error : There are uncommitted changes. Please commit all pending changes and try


Running the show system masterkey-properties will now show information on the new master key:

> show system master key-properties
Master key expires at: 2015/01/22 16:44:43
Reminders will begin at: 2015/01/15 16:44:43
Master key on hsm: no


owner: skumar1


  • Print
  • Copy Link

Choose Language