topic Re: SSL Certificates CA Verisign in General Topics

SSL Certificates CA Verisign

netmaster — Wed, 27 Aug 2014 12:30:15 GMT

Hello,

we have import the CA Certificate from Verisign and want to activate the Antivirus function (policies).

But only the

"Trusted Root CA"

is available in the "Certificate Information"

the option "Forward Trust Certificate" is gray and not available.

But that the function what we need.

We will check upload traffic to the servers in the trust lan of the paloalto

System: PaloAlto 500 v5.0.6

Anyone knows this problem.

Info: when we make a self signed CA we can choose the option "Trusted Root CA".

Re: SSL Certificates CA Verisign

_slv_ — Wed, 27 Aug 2014 12:56:12 GMT

Please read last reply by Gwesson from Re: Decryption certificate

and follow this doc https://live.paloaltonetworks.com/docs/DOC-1412

I hope that will explain You enought.

Regards

Slawek

Re: SSL Certificates CA Verisign

hshah — Wed, 27 Aug 2014 14:46:31 GMT

Hi Netmaster,

Decryption can be done only by self signed Root CA or Sub-ordinate CA. The reason is this certificate signs, another certificate for the traffic.

Lets say you generate a.crt self signed certificate on the firewall. Now traffic comes for bankofamerica.com on firewall. Now a.cert will sign a certificate for bankofamerica.com and forwards it to user.

Only self signed cert and subordinate cert has this capability to sign another certificate.

As long as I know verisign will not provide you subordinate certificate. Let me know if it helps.

Regards,

Hardik Shah

Re: SSL Certificates CA Verisign

netmaster — Thu, 28 Aug 2014 06:45:34 GMT

Hi,

thanks for the two answers, thats help to understand how it works in the firewall.

Now we have make a self signed Root CA and a decrypt like this doc:

https://live.paloaltonetworks.com/docs/DOC-1412

but it doesnt work. We want to make Inbound SSL decryption!

The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies).

And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall.

Config:

shared {

ssl-decrypt {

ssl-exclude-cert;

trusted-root-CA [ int_test_com int_test];

forward-trust-certificate int_test_com;

forward-untrust-certificate int_test_com;

}

int_test_com {

subject-hash fc08871a;

issuer-hash fc08871a;

not-valid-before "Aug 27 14:16:26 2014 GMT";

issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";

not-valid-after "Aug 27 14:16:26 2015 GMT";

common-name int.test.com;

expiry-epoch 1440684986;

ca yes;

subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";

public-key "-----BEGIN CERTIFICATE-----

.....

decryption {

rules {

int_test_antivirus {

category any;

type {

ssl-inbound-inspection int_test_com;

}

from untrust;

to trust;

source any;

destination any;

source-user any;

negate-source no;

negate-destination no;

action decrypt;

from untrust;

to trust;

source any;

destination int_test_com;

source-user any;

category any;

application [ ssl web-browsing];

service [ service-http service-https];

hip-profiles any;

action allow;

log-start yes;

log-end yes;

negate-source no;

negate-destination no;

Re: SSL Certificates CA Verisign

hshah — Thu, 28 Aug 2014 14:00:07 GMT

Hi Netmaster,

In Inbound Decryption, you get original certificate of the server, its different than outbound decryption. So, you always get server cert, its expected behavior.

Configuration looks good, can I get same configuration in GUI format.

1. Provide certificat in GUI

2. Provide Decryption policy in GUI

3. Provide Traffic log in GUI, which says its not decrypted.

Regards,

Hardik Shah

Re: SSL Certificates CA Verisign

netmaster — Mon, 01 Sep 2014 16:01:18 GMT

Hello,

when we import the server certificate, no CA flag is set and we dont can choose "Forward .... Certificate" and "Trusted Root CA" in the informations.

Thats a Certificate from Verisign. And wehn we load any other public root certficates from Verisign and import this ones, its the same....

For what you need it in GUI Format, its the same informations as about cli.

Anyone a Idee?

best regard

Markus

Re: SSL Certificates CA Verisign

netmaster — Mon, 01 Sep 2014 16:03:20 GMT

The certificate what we used in the upper config was created in the firewall, i think thats the problem why this one not matched, thats for your info guys.

Re: SSL Certificates CA Verisign

hshah — Mon, 01 Sep 2014 16:35:52 GMT

Hello Netmaster,

Actually its pretty simple configuration and work for most of the customer.

Most likely this is issue with the Certificate provided by Verisign. Verisign will not provide root certificate, they will provide sub-ordinate certificate. Make sure that sub-ordinate certificate has private key. If certificate matches this condition, you should be able to select "Trust/untrsuted Forward" Parameters.

For Self Signed Cert Follow bellow mentioned two steps. and it will work.

That should work just fine.

Regards,

Hardik Shah

Re: SSL Certificates CA Verisign

netmaster — Tue, 02 Sep 2014 16:26:04 GMT

Hi,

now we have made a self signed certificate from the firewall, thats not working.

For the test we have change the Server cert in a self signed too.

We don´ see any encrypted packets. (in the traffic log or in the cli like: How to View SSL Decryption Information from the CLI

We have make all the steps for inbound ssl decrypt from: How to Implement SSL Decryption

but it doesnt works.

Any special thinks what we must do in the decryption and security policies?

Or any other points we must do? enabling decryption on a single tab or so?

Cert:

Policy decry:

Policy sec:

Re: SSL Certificates CA Verisign

hshah — Tue, 02 Sep 2014 17:05:41 GMT

Hi Netmaster,

Does server uses certificate SSL_Test?

Most likely answer is NO, thats why inbound SSL decryption is not working.

You are supposed to upload same certificate to firewall which is used by server. If you dont get option for "Forward Trust/Untrust" than its fine.

Regards,

Hardik Shah

Re: SSL Certificates CA Verisign

netmaster — Tue, 02 Sep 2014 17:29:40 GMT

Hi,ok i understand we need the same certificate in Firewall as on the server, that we can make on the test Server.But the live Server had the verisign certificate. And we dont can change it. On all certificate we have downloaden From verisign we dont Have the choose to aktivate trust/untrust

On the der.

Re: SSL Certificates CA Verisign

hshah — Tue, 02 Sep 2014 17:33:58 GMT

Hi Netmaster,

I dont think for inbound encryption you need forward trust/untrust option. All you need is certificate and its private key to upload. Let me know if that helps.

"Forward trust/untrust" is for outbound SSL decryption.

REgards,

Hardik Shah

Re: SSL Certificates CA Verisign

netmaster — Tue, 02 Sep 2014 18:16:29 GMT

Hi,

Sry i think so. In the decryption policy is the last point "ssl inbound" and When we choose it we must choose a certificate. And Here is the Only certificate what we can choose the self signed with the Option

"Forward trust/untrust". Oh er certificate Here Are Not listed

Re: SSL Certificates CA Verisign

hshah — Tue, 02 Sep 2014 18:25:19 GMT

Did you uploaded cert with private key ?

Re: SSL Certificates CA Verisign

netmaster — Wed, 03 Sep 2014 11:37:18 GMT

Hi,

now we have uploaded whit key and make a policy and it works.

But 1 point, the documentation is here a little bit confuse!

There is the info that you need " forward trust/untrust option" and a CA but for this case is this not the point.

"1. The first thing we would like to do is to install and manage the certificate we would like to use. Navigate Device > Certificates and generate a new self signed Certificate, be sure to activate CA,Forward Trust Certificate, Untrust and Trusted Root CA:"

thanks for your help.

best regards

Re: SSL Certificates CA Verisign

hshah — Wed, 03 Sep 2014 14:12:49 GMT

Hello Netmaster,

I am glad I was useful to you and finally we found correct answer.

Actually document is not easy to understand, only first time its difficult. Nowonwards you should be able to understand. Thing is when we say self signed cert, we assume user knows he is supposed to check "certirficate" box.

Regards,

Hardik Shah