CSR generated with ”Block Private Key Export” checked allows “Export Private Key” when the signed cert is reimported back

• CSR (Certificate Signing Request) is generated on Panorama with ”Block Private Key Export” box checked.
• After the CSR has been signed by a CA, and the certificate is reimported into Panorama, we see that the private key is exportable.

• Palo Alto Firewall or  Panorama.
• PanOS 10.0.5

The "Block Private Key Export" functionality for Certificate Signing Requests (CSRs) generated from PAN-OS signed by a third party and re-imported back into PAN-OS is not available in PAN-OS 10.0 and will be added in future releases. ETA is yet to be decided.

The following steps are the workaround to enable 'block private key export' for the Panorama (or Firewall) generated CSR that is signed by a CA.  

1. Generate a CSR certificate on the device with 'block private key' enabled
2. Export the certificate
3. Get the certificate signed by a CA
4. Import the certificate back with the same name
5. Export the certificate again along with the private key
6. Now Import the certificate back with the same name but this time ensure that you check 'block private key' on the certificate
7. The imported certificate will have the private key blocked and you should be able to export the key anymore.