https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520643#M107905 <P>Good Day!</P> <P>&nbsp;</P> <P>For decryption, it is needed both the public AND the private key.&nbsp;</P> <P>For a Windows server, I did a quick search and these seem like the correct steps:</P> <P>&nbsp;</P> <P><A href="https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key" target="_blank">https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key</A></P> <P>&nbsp;</P> <P>Once you export the certificate with private key (probably PKCS#12), you can then import the certificate in its entirety.</P> Tue, 08 Nov 2022 14:10:46 GMT S.Cantwell 2022-11-08T14:10:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520639#M107902 <P>When I try to import such certificate I get "Only self signed CA cert can have identical sub and issuer fields" error.</P> <P>&nbsp;</P> <P>The certificate is not from CA server so I don't have "Back up CA" option as described here:</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NUhCAM" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NUhCAM</A></P> <P>&nbsp;</P> <P>I'm aware of this discussion but it's for SAML and it doesn't give answer to basic question as stated in this sbject:</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/quot-only-self-signed-ca-cert-can-have-identical-sub-and-issuer/td-p/276749" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/quot-only-self-signed-ca-cert-can-have-identical-sub-and-issuer/td-p/276749</A></P> <P>&nbsp;</P> <P>So how can I import a&nbsp;certificate with same subject and issuer field but is not marked as CA? It's a self signed certificate from MS Exchange server which is required for decryption.&nbsp;</P> <P>&nbsp;</P> Tue, 08 Nov 2022 13:45:38 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520639#M107902 santonic 2022-11-08T13:45:38Z https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520643#M107905 <P>Good Day!</P> <P>&nbsp;</P> <P>For decryption, it is needed both the public AND the private key.&nbsp;</P> <P>For a Windows server, I did a quick search and these seem like the correct steps:</P> <P>&nbsp;</P> <P><A href="https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key" target="_blank">https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key</A></P> <P>&nbsp;</P> <P>Once you export the certificate with private key (probably PKCS#12), you can then import the certificate in its entirety.</P> Tue, 08 Nov 2022 14:10:46 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520643#M107905 S.Cantwell 2022-11-08T14:10:46Z https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520672#M107920 <P>Yes, I know I need private key for decryption. But this isn't the issue here.</P> <P>&nbsp;</P> <P>The issue is how to import a certificate which has the same subject and issuer field but is not marked as CA?&nbsp;</P> Tue, 08 Nov 2022 17:15:51 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520672#M107920 santonic 2022-11-08T17:15:51Z https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520983#M107985 <P>So nobody ever tried nor succeeded in this?&nbsp;</P> Fri, 11 Nov 2022 07:53:07 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/520983#M107985 santonic 2022-11-11T07:53:07Z https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/521017#M107989 <P>Hello again.&nbsp; You may certainly open a PANW TAC case to see what they suggest.&nbsp; In my experience, I have not been successful in importing a self-signed cert.&nbsp;</P> Fri, 11 Nov 2022 14:55:19 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/521017#M107989 S.Cantwell 2022-11-11T14:55:19Z https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/521019#M107990 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/10238">@santonic</a> ,</P> <P>&nbsp;</P> <P>That is a great question.&nbsp; I assume you are doing Inbound SSL Decryption and the cert is for the inbound Exchange server.&nbsp; I did not know the NGFW would not import self-signed certs that were not a CA.&nbsp; Could you please let us know the resolution from TAC?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Fri, 11 Nov 2022 15:22:25 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-import-certificate-with-same-subject-and-issuer-field/m-p/521019#M107990 TomYoung 2022-11-11T15:22:25Z