topic Re: Intermediate certs for SSL-VPN portal in General Topics

Intermediate certs for SSL-VPN portal

Retired Member — Fri, 07 Jan 2011 14:26:38 GMT

Hi!

I am using a DigiCert certificate for the SSL VPN portal and the management interface, and it all works well with most browsers. However the certification chain requires an intermediate CA to be trusted/sent as well, and I haven't managed to get that to work on the PAN-box.

It's not a big issue as most browsers seem to be able to resolve the chain by themselves, but for example Firefox on linux and the iPad are unable to verify the chain.

I have added the intermediate certificate required as a trusted CA but that didn't seem to help.

Any suggestions or tips are greately appreciated.

Thanks, Tom

Re: Intermediate certs for SSL-VPN portal

bpappas — Tue, 18 Jan 2011 23:18:40 GMT

What version of Firefox is running on the Linux and iPad devices?

Re: Intermediate certs for SSL-VPN portal

rogera — Mon, 09 May 2011 19:13:20 GMT

Hi.

I have the same problem with Digi intermediate certificate.

Did you fine any solution to this problem ?

Thanks, Roger

Re: Intermediate certs for SSL-VPN portal

jasonbone — Tue, 10 May 2011 13:46:54 GMT

I didn't notice either however I am having the same issue with my digicert certificates not being trusted on my iOS devices served up via either the Palo Alto or a set of Juniper SA's we have when connecting using safari or the Junos Pulse client. I believe this might be an iOS cert store issue.

Re: Intermediate certs for SSL-VPN portal

ShaunD — Wed, 07 Dec 2011 02:50:36 GMT

Have you found a resolution to this issue? I am experiencing the same problem.

Re: Intermediate certs for SSL-VPN portal

essnet — Wed, 07 Dec 2011 12:05:25 GMT

Hello,

Problem happens because PAN OS doesn't always import intermediate certificate (I don't know why). The fix is to edit the XML configuration file to add the intermediate certifcate, then upload back to your box and commit.

Many browsers don't complain about missing intermediate cert, because many of them embed widepsread vendors in additions of root CAs (which is a pure security mess of course).

Re: Intermediate certs for SSL-VPN portal

essnet — Wed, 07 Dec 2011 12:18:29 GMT

Here is an extract from XML which is missing intermediate:

<entry name="Mgmt and Portal">        
<common-name>xxxxxxxxxxxxxxxxx</common-name>        
<ca>no</ca>        <expires>Sep 2 2014</expires>       
<expiry-epoch>1409649540</expiry-epoch>    
<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53 
friendlyName: xxxxxxxxxx
subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ
BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N
JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT
......
-----END CERTIFICATE-----
</public-key>

The fix consist to insert intermediate certificate in addition of existing one inside <public-key> statement:

<entry name="Mgmt and Portal">       
<common-name>xxxxxxxxxxxxxxxxx</common-name>       
<ca>no</ca>        <expires>Sep 2 2014</expires>      
<expiry-epoch>1409649540</expiry-epoch>    
<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53
friendlyName: xxxxxxxxxx
subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ
BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N
JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT
......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----aEd5y3GY3i4aWL/LKXe70PBADPZjnDvnJ5e6QhK94uIQdBh9kC26vy89SYsO+XbGOjnZN0QvyvCia
U80x2DrJvbMgKego/ZHQ6B45YckeyZ97YtRd30TZI/eDfCtgtrPbm4RLCYjqPESfnx1xyQnbMyqQ7q
FzGetu6ouKSllYycKyErYJbAoVYpozGx59i0gYTVCJluKcx3POnozvw7ZPUzJMgBMRJdS3Va8WW
kLcHynh1rlcHwWPK022ouJFrMHEQ.........
-----END CERTIFICATE-----
</public-key>

Import back your XML file, commit and enjoy. Be aware that you will need to restart your appliance dataplane or even reboot, because PAN OS doesn't detect that there was a real change inside the public certificate chain (another bug ?), so it won't reload it during commit.

Re: Intermediate certs for SSL-VPN portal

ShaunD — Wed, 07 Dec 2011 17:06:15 GMT

I do not see the XML inside my configuration file that you are referencing. I'm on PAN-OS 3.1.9, are you running something else? The Certificates are referenced in my configuration file in the Captive Portal and SSL-VPN sections, but the actual certificates are not in this file.

Re: Intermediate certs for SSL-VPN portal

essnet — Wed, 07 Dec 2011 17:10:22 GMT

I am using 4.0+ software only. No idea where are stored certificates on 3.x but it looks like it shares same bug.

Re: Intermediate certs for SSL-VPN portal

rnitz — Mon, 30 Apr 2012 14:10:50 GMT

SSL certificates were not included in the config XML file until 4.0.

Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.

Re: Intermediate certs for SSL-VPN portal

RyanF — Wed, 22 May 2013 20:23:17 GMT

Thank you, essnet! Nothing else worked for me, but manually appending the intermediate cert to the primary in XML did the trick!

I also had to reboot the devices for the change to take effect. I would've thought after 1.5 years that would be fixed.

Thanks again!