Certificate generated on the firewall with "Block Private Key Export" checked allows key export after certificate renewal

Certificate generated on the firewall with "Block Private Key Export" checked allows key export after certificate renewal

5889
Created On 07/28/21 08:38 AM - Last Modified 06/10/25 21:31 PM


Symptom


  • Certificate is generated with "Block Private Key Enabled" and this is confirmed in the certificate listing.
Certificate Listing Showing No-Export icon
  • After you renew the certificate, notice the missing icon that would indicate that the private key can be exported
Certificate listing shows the private key can be exported
  • This can be confirmed by trying to export the renewed certificate
Renewed certificate can now be exported

Environment


  • Palo Alto Firewall.
  • Supported PAN-OS 
  • Certificates

Resolution


There is a workaround in place to disable certificate export on certificate renewal:

  1. Renew the certificate
  2. Export it out of the firewall
  3. Disable private key export when you reimport the certificate

Refer to Block Private Key Export for details.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VyXCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language