https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24977#M18220 <HTML><HEAD></HEAD><BODY><P>Hello there. </P><P>I have a question related to CA for SSL client. </P><P>Customer has a certificate which issued by Trusted Root CA, but this trusted root CA is not contained in an ssl client's browser.</P><P>And then, the customer certificate was issued by this CA.</P><P>So, customer wants to distribute a CA of customer for all SSL VPN clients to avoid ssl certification error. (it was not created by a PA device.)</P><P></P><P>I tried to import to the CA at certificates in Device tab, but it&nbsp; was impossible. </P><P>Is it possible to do it through PA device?</P><P>Please let me know someone who know about it.</P><P></P><P>Thanks,</P><P>Eugene. </P></BODY></HTML> Fri, 13 Jul 2012 06:00:00 GMT willstech 2012-07-13T06:00:00Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24977#M18220 <HTML><HEAD></HEAD><BODY><P>Hello there. </P><P>I have a question related to CA for SSL client. </P><P>Customer has a certificate which issued by Trusted Root CA, but this trusted root CA is not contained in an ssl client's browser.</P><P>And then, the customer certificate was issued by this CA.</P><P>So, customer wants to distribute a CA of customer for all SSL VPN clients to avoid ssl certification error. (it was not created by a PA device.)</P><P></P><P>I tried to import to the CA at certificates in Device tab, but it&nbsp; was impossible. </P><P>Is it possible to do it through PA device?</P><P>Please let me know someone who know about it.</P><P></P><P>Thanks,</P><P>Eugene. </P></BODY></HTML> Fri, 13 Jul 2012 06:00:00 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24977#M18220 willstech 2012-07-13T06:00:00Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24978#M18221 <HTML><HEAD></HEAD><BODY><P>There is a trusted CA list within the device but I cant find in the manuals on how to list its content nor how to add your own CA's to this list - perhaps somebody else in here who knows?</P><P></P><P>Regarding importing of stuff, if the web-gui fails you can use scp or tftp like so:</P><P></P><P>scp import certificate from user1@10.0.3.4:/tmp/certificatefile</P><P></P><P>tftp import ssl-certificate from user1@10.0.3.4:/tmp/certificatefile</P></BODY></HTML> Fri, 13 Jul 2012 07:44:01 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24978#M18221 mikand 2012-07-13T07:44:01Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24979#M18222 <HTML><HEAD></HEAD><BODY><P>Through the Webui -&gt; Device -&gt; Certificates .. that shows all of the certs there.</P><P>You can take public CA certs and import them with their Key files.</P><P>OR you can create local generated CA's,. or the actual SSL certs..</P><P></P><P>It honestly really depends on what you are trying to accomplish.</P></BODY></HTML> Thu, 19 Jul 2012 20:30:41 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24979#M18222 jdelio 2012-07-19T20:30:41Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24980#M18223 <HTML><HEAD></HEAD><BODY><P>I hope you mean the public key when you spoke about public CA certs because I seriously doubt they will or should release their private key <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>Regarding that cert list I have completely missed that, in which version did that show up (and whats the CLI commands to list and modify it)?</P><P></P><P>Device -&gt; Certificate Management -&gt; Certificates -&gt; Default Trusted Certificate Authorities (tab)</P></BODY></HTML> Thu, 19 Jul 2012 20:55:31 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24980#M18223 mikand 2012-07-19T20:55:31Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24981#M18224 <HTML><HEAD></HEAD><BODY><P>As of 4.1, we do not list the trusted certs that are used by PAN. The tab "<SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">Device -&gt; Certificate Management </SPAN><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">-&gt; Certificates -&gt; Default Trusted Certificate Authorities" is an new feature added in 5.0. </SPAN></P><P></P><P>To generate a cert through CLI:</P><P>request certificate generate &lt;options&gt;</P><P></P><P>To modify the cert:</P><P>set shared certificate &lt;options&gt;</P></BODY></HTML> Fri, 20 Jul 2012 00:59:03 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-add-a-ca-in-pa-device/m-p/24981#M18224 zarina 2012-07-20T00:59:03Z