Other than password based authentication, you can use certificate to authenticate admin user to Paloalto admin GUI. Here is how to enable certificate based authentication.
Please be advised, after enabling certificate authentication you CANNOT authenticate with password to web GUI anymore.
01. Import root CA
a) Navigate to Device>Certificate Management>Certificates>Import
b) Give the root ca a name of your choice.
c) Select the format of your root CA certificate. (Either in pkcs12 or pem format)
d) Select where the root ca certificate file is.
e) Enter password for the root certificate.
Make sure your root certificate includes private key so we can generate other certificate using this root certificate.
02. Generate a certificate
a) Navigate to Device>Certificate Management>Certificates>Generate
b) Give the certificate a name of your choice.
c) In the common name column, you need to enter the admin username who will be authenticated using this certificate.
d) In the signed by column, select the root certificate you imported.
e)Click on generate
You can change cryptography settings to meet your security requirements. For demonstrating, I just leave everything as default.
03. Export the certificate so you can authenticate with it.
a) Navigate to Device>Certificate Management>Certificates>Export Certificate
b) Select export format(Either pkcs12 or pem format)
c) Give the exported certificate a password
d) Click OK
04. Setup certificate profile
a) Navigate to Device>Certificate Management>Certificate Profile>Add
b) Give the profile a name
c) In the CA certificate selection, add the root ca imported on step01
e) Click OK
05. Create admin user
a) Navigate to Device>Administrators>Add
b) Enter the admin username of your choice. (The common name in step02)
c) Check use only client certificate authentication(Web)
d) Click OK
06. Change authentication settings
a) Navigate to Device>Setup>Management>Authentication Settings
b) In the certificate profile drop down, select the profile created in step04
c) Click OK
07. Commit the changes.
a) Click commit on the top right corner
b) Confirm the commit in the pop up window
c) Wait the commit to finish
08. If you try to access the web GUI, the page will give you a 400 error.
09. If you have a valid certificate that can be used for authentication. The browser will prompt you to use the certificate you have.
10. After selecting the certificate, you can login with one click and there is no username or password needed.
Here is a useful note if you want to export root ca with private key on ADCS environment.
Appendix01. Open certificate authority with certsrv.msc
Appendix02. Right click and select All Task>Back up CA..
Appendix03. Click next
Appendix04.
a) Check private key and CA certificate
b) Select export path
c) Click next
Appendix05. Give the certificate a password.
Appendix06. Click finish.
