rsa-sha2-512 and rsa-sha2-256 server host key are not configurable in the SSH Service Profile

• rsa-sha2-512 and rsa-sha2-256 need to be added under GUI: Device > Certificate Management > SSH Service Profile > Management Server Profile > (Add) >Hostkey 
• There is no rsa-sha2-512 and rsa-sha2-256 under Hostkey.

• Palo Alto Firewalls or Panorama
• PANOS 10.0.x and above
• SSH Service Profile

• Values 2048, 3072, and 4096 are the key length. The default key type and length is RSA 2048.

1. When configuring the SSH profile for management, select any key length 2048, 3072 or 4096.
2. Select the configured Profile by going to GUI: Device > Setup > Management > SSH Management Profile Settings > select the SSH Service Profile. 
3. Commit
4. Run the following command from CLI.

> set ssh service-restart mgmt

5. Test the changes from a client device. All the rsa based ciphers are seen advertised.

 nmap --script ssh2-enum-algos -sV -p 22 x.y.z.q //Replace x.y.z.q with firewall management IP

Note:

• When RSA server host keys are configured then all the rsa based ciphers get advertised - that includes ssh-rsa, rsa-sha2-256 & rsa-sha2-512, this is regardless of which RSA key strength is configured.
• To Prune out the ssh-rsa server host key algorithm, set any ECDSA-based key as the server host key algorithm. 
• When you do this all the rsa-based server host key algorithms are pruned out. And only the corresponding ecdsa-sha2-* based server host key algorithm is advertised.

• Configure an SSH Service Profile.
• Make sure to have a backup of configurations before making any changes.
• If Firewall is in a HA  environment, make the changes on Passive Firewall first.