https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555527#M1782 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118216">@SteveBallantyne</a> ,</P> <P>&nbsp;</P> <P>The phrase "certificate profile" in my opinion is not a very good description.&nbsp; Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server.&nbsp; It is a way to verify no one has tampered with the EDL site.</P> <P>&nbsp;</P> <P>For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain.&nbsp; Install them on your NGFW, and add them to your certificate profile.&nbsp; When the NGFW goes to the EDL, it says, "Yep.&nbsp; That is the correct certificate."&nbsp; I don't see it as a critical security feature, but I like to get rid of my commit warnings.</P> <P>&nbsp;</P> <P>Some versions of PAN-OS have had issues with the EDL certificate profile working.&nbsp; I am on 10.2.4, and they are working fine.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 28 Aug 2023 14:37:30 GMT TomYoung 2023-08-28T14:37:30Z https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555520#M1776 <P>Hello all,</P> <P>I currently have an issue with my firewalls not downloading External Dynamic Lists. Seems to be a certificate profile issue that arose from migrating into Panorama. I am guessing something went wonky with importing the certs, and then pushing them back out to the devices in a device template. I am still working on that!</P> <P>&nbsp;</P> <P>But can someone help me understand this concept of using a device hosted certificate to retrieve data from an SSL connection? It seems to me that the server you are connecting to has it's own certificate and that is what is being used to set up a secure connection and retrieve the data. How would my self-signed or internally CA signed certificate even be used in that conversation between the PA device and the SSL server?</P> Mon, 28 Aug 2023 13:40:25 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555520#M1776 SteveBallantyne 2023-08-28T13:40:25Z https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555523#M1778 <P>Maybe I am just a bonehead ... I thought that the EDL *required* a certificate profile. But I was able to change it to "None", commit, push, etc. And now the lists work fine. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Turns out that it DOESN'T make sense to use a self-signed device certificate in this case!</P> Mon, 28 Aug 2023 14:13:38 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555523#M1778 SteveBallantyne 2023-08-28T14:13:38Z https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555527#M1782 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118216">@SteveBallantyne</a> ,</P> <P>&nbsp;</P> <P>The phrase "certificate profile" in my opinion is not a very good description.&nbsp; Certificate profiles contain the CA certificates that were used to create the certificate being verified, in this case the EDL server.&nbsp; It is a way to verify no one has tampered with the EDL site.</P> <P>&nbsp;</P> <P>For an EDL, you would browse to the site, examine the certificate, and download the CA certificates in the chain.&nbsp; Install them on your NGFW, and add them to your certificate profile.&nbsp; When the NGFW goes to the EDL, it says, "Yep.&nbsp; That is the correct certificate."&nbsp; I don't see it as a critical security feature, but I like to get rid of my commit warnings.</P> <P>&nbsp;</P> <P>Some versions of PAN-OS have had issues with the EDL certificate profile working.&nbsp; I am on 10.2.4, and they are working fine.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 28 Aug 2023 14:37:30 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555527#M1782 TomYoung 2023-08-28T14:37:30Z https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555529#M1784 <P>Thank you, Tom. What you said makes perfect sense, and it also explains why in the drop-down for certificates to use inside the certificate profile are only certificates in which there is a private key.</P> Mon, 28 Aug 2023 14:42:31 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555529#M1784 SteveBallantyne 2023-08-28T14:42:31Z https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555530#M1785 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118216">@SteveBallantyne</a> ,</P> <P>&nbsp;</P> <P>Probably because the only CA certificates on your NGFW contain private keys.&nbsp; It only allows CA certificates to be installed.&nbsp; You can add public CA certificates with no private key.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Mon, 28 Aug 2023 14:45:06 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/trying-to-understand-how-a-certificate-profile-is-used-for/m-p/555530#M1785 TomYoung 2023-08-28T14:45:06Z