topic Re: Wildcard cert in GlobalProtect Discussions

Wildcard cert

gvyskocil — Fri, 21 May 2021 19:12:08 GMT

I recently setup a backup internet provider and bought a wildcard cert instead of renewing our previous cert. Previously just had a cert for remote.mydomain.com we used for globalprotect from network solutions. I have external DNS A records set for remote.mydomain.com with an ip from our main provider. I also set up an A record for remote2.mydomain.com with an ip from the backup provider. I have not created any automatic failover for GP. I was looking at just manually have GP users change to the secondary portal if our main goes down. I have seen some articles when doing this without a CA but not sure on the exact procedure when using a CA for the wildcart cert. I also have certs generated by the firewall I used as the trusted root cert and SSL decryption certs. I was hoping to use the one wildcard cert for all of these now. I recall having an issue in the past because I believe network solutions also has intermediate certs I needed to account for. Looking for pointers if anyone has been through a setup like this before.

Thanks in advance

Re: Wildcard cert

Remo — Tue, 01 Jun 2021 21:36:24 GMT

Hi @gvyskocil

The wildcard cert will work perfectly fine for external global protect portals and gateways, but you cannot use this one for SSL decryption. Fo SSL decryption you need a CA certificate and this one you will not get from any public Certificate Authority. So there is no other option than generating one locally or from an internal CA in your company.

Re: Wildcard cert

jdelio — Tue, 01 Jun 2021 21:40:01 GMT

I Agree with @Remo , there is no way that any public Certificate provider will give you a CA to create certs on their behalf. You could then try to sell their certs and charge for them.

You have to use an Internal CA or allow the firewall to create them for you.

Re: Wildcard cert

gvyskocil — Wed, 02 Jun 2021 17:23:16 GMT

Thanks for the replies. I guess I was confused on the setup for decryption. For outbound I thought I needed to configure SSL forward proxy and best practice is to use a enterprise CA as forward trust certificate. As both posters noted, that is a internal enterprise CA, not a public one as I though I might use. Or I can just use self signed certificates from the firewall. Then it looks like I need a different certificate for a forward untrust certificate. I will probably just use self signed on both for now. I was getting confused as inbound traffic is part of web traffic but looks like the key is the session itself starts as outgoing. The traffic only starts when an internal user requests an external website and I need to look at that as outbound.

SSL inbound inspection would be if I have some internal server that people access from outside? For that part can I use the wildcard cert? I have a public cert that server uses for TLS that I am looking at switching to the wildcard cert.

Thanks again for the replies. I think I am getting a better understanding of this now.

Re: Wildcard cert

Remo — Wed, 02 Jun 2021 17:28:59 GMT

Hi @gvyskocil

Yes, you're right. For inbound inspection you can use the wildcard certificate.