topic Re: PA 3220 function as a secondary / sub-ca in General Topics

PA 3220 function as a secondary / sub-ca

sallen — Sun, 22 Jan 2023 21:08:39 GMT

Greetings,

We are researching Certificate management and all the certificate management the Firewall can do. It came across as a question - is there a way to have the PA function as a secondary / sub-ca? Our team members our discussing instead of standing of a new CA since everyone should have the root FW cert. My question is at what scale and other problems could arise? I see some docs that state to monitor cpu and it does have a resource cost but I think this would be more than 10 certs which seems to be a basic suggestion: To be clear this is for applications on the FW like SSL Forward Proxy, Captive Portal, Global Protect. This would be about generating self signed certs or public CA for other webservices in the environment.

PA 3220

OS 10.2

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/certificate-deployment

Has anyone had experience with this and how did it go? Lessons learned or advice welcome?

Re: PA 3220 function as a secondary / sub-ca

Raido_Rattameister — Mon, 23 Jan 2023 05:12:28 GMT

For GlobalProtect I would buy cert from pubic CA to avoid users seeing cert warning when they access site first time as it teaches them that it is ok to bypass cert warnings.

For SSL Forward Proxy you need to sign certificates with CA that users already trust.

If you have internal CA then you can generate intermediate CA CSR on Palo and sign it with enterprise CA.

If you don't have internal CA just create CA on Palo and export PUBLIC key of it into workstations (using Group Policy for example).

You will not import private key of CA cert into workstations.

What is goal of sub-ca idea? Security in case CA private key leaks out from firewall?

In this case you would need to generate root CA on Palo.

Generate intermediate CA on Palo and sign with CA cert.

Most likely export both of them and then delete both of them (as you can't delete root ca if cert signed by it exists on Palo).

Then import root CA public key only and then import intermediate CA with private key.

And when intermediate expires then go through the process again by importing CA with private key to sign intermediate etc?

Not worth the work if you don't have enterprise CA then just export root CA public key into workstations I think.

Re: PA 3220 function as a secondary / sub-ca

sallen — Tue, 24 Jan 2023 15:02:35 GMT

Greetings and thank you for the discussion. Let me correct a few items. I made a typing mistake and this should state NOT:

To be clear this is for applications on the FW like SSL Forward Proxy, Captive Portal, Global Protect.

To be clear this is NOT for applications on the FW like SSL Forward Proxy, Captive Portal, Global Protect.

For testing purposes we have a CA in a secure environment but this FW is in-between. Can we provide the Firewall with other secure certs from other 3rd party applications? Thinking that the FW can be a CA instead of standing a new separate CA up. The same clients that access the secure portal will have access to the secure certificates on the FW. This situation for testing is because Captive Portal in redirect mode. PA 3220 PANOS 10.2 -TEST

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/certificate-deployment

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0

Re: PA 3220 function as a secondary / sub-ca

Raido_Rattameister — Tue, 24 Jan 2023 16:41:05 GMT

Yes you can import certificates from different sources into the firewall and use different certificates for different purposes.

If you want Palo to sign certificates itself then it needs to either have root CA cert or intermediate signed by your enterprise root CA.

Public CA's won't sign you trusted intermediate cert.