https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3299#M2462 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>"Do not use a trusted certificate with the option "forward trusted certificate".</P> </PRE><P>Sorry I didn't really understand.</P><P></P><P>You mean "Do not use a trusted certificate with the option "forward <STRONG style="text-decoration: underline;"><EM>un</EM></STRONG>trusted certificate"?</P><P></P><P><IMG __jive_id="13080" alt="" class="jiveImage" height="71" src="https://live.paloaltonetworks.com/legacyfs/online/13080_pastedImage_5.png" style="width: 1100.5px; height: 71px;" width="1101" /></P></BODY></HTML> Thu, 24 Apr 2014 12:22:29 GMT ITSama 2014-04-24T12:22:29Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3295#M2458 <HTML><HEAD></HEAD><BODY><P>After turning on the SSL-Decryption, firefox tells me every moring after restart this error&nbsp; "sec_error_reused_issuer_and_serial", after deleleting the whole history and a restart of firefox it works, but that workaround every morning couldn't be the solution.</P><P>Anybody some <SPAN class="hps">suggestions??</SPAN></P><P><SPAN class="hps"><BR /></SPAN></P><P><SPAN class="hps">thx<BR /></SPAN></P></BODY></HTML> Thu, 24 Apr 2014 05:42:54 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3295#M2458 ITSama 2014-04-24T05:42:54Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3296#M2459 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>when you get this message? when open any https websites or open the PA-WebGui?</P><P>if you get it with any https websites, please check the Trusted and Untrusted Certificates. Take a look:</P><P><IMG alt="ssl-certs.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/13067_ssl-certs.png" style="width: 620px; height: 51px;" /></P><P>The Certificates are generated all from PA.</P><P></P><P>gateway.example.com = DNS entry with the IP of your internet breakout&nbsp; at your PA</P><P>pa-webgui.example.com = DNS entry with the IP of your MGT from your PA</P><P></P><P>Export the RootCA certificate and import it in your firefox. And if you having more PAs with the same RootCA and WebGui certificates generated from you will always get the problem with FF when opening the WebGui. Try Chrome or IE.</P></BODY></HTML> Thu, 24 Apr 2014 07:54:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3296#M2459 Hithead 2014-04-24T07:54:58Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3297#M2460 <HTML><HEAD></HEAD><BODY><P>Hi Hithead,</P><P></P><P>i had only one certificate for all purposes signed as a Subordinate-CA from my Organisation-CA???&nbsp; IE has no problems with that, only FF.</P><P></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/13078_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Thu, 24 Apr 2014 11:06:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3297#M2460 ITSama 2014-04-24T11:06:21Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3298#M2461 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>FF has a problem with it. FF call it a "security feature" and IE ignore the&nbsp; usage of the same CA on different sites. Difficult to explain.</P><P></P><P>But by the way: Do not use a trusted certificate with the option "forward trusted certificate". If a page is recognized as untrusted by the PA, the user will not be promoted with a certificate error. It will trust it. Generate a new certificate with PA, with the same values but do not choose an issuer (signed by) and select the usage "untrusted Certificate" for it.</P></BODY></HTML> Thu, 24 Apr 2014 11:46:34 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3298#M2461 Hithead 2014-04-24T11:46:34Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3299#M2462 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote"> <P>"Do not use a trusted certificate with the option "forward trusted certificate".</P> </PRE><P>Sorry I didn't really understand.</P><P></P><P>You mean "Do not use a trusted certificate with the option "forward <STRONG style="text-decoration: underline;"><EM>un</EM></STRONG>trusted certificate"?</P><P></P><P><IMG __jive_id="13080" alt="" class="jiveImage" height="71" src="https://live.paloaltonetworks.com/legacyfs/online/13080_pastedImage_5.png" style="width: 1100.5px; height: 71px;" width="1101" /></P></BODY></HTML> Thu, 24 Apr 2014 12:22:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3299#M2462 ITSama 2014-04-24T12:22:29Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3300#M2463 <HTML><HEAD></HEAD><BODY><P>oh, you are right <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P><P>I mean untrusted <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 24 Apr 2014 12:40:18 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3300#M2463 Hithead 2014-04-24T12:40:18Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3301#M2464 <HTML><HEAD></HEAD><BODY><P>Okay :smileygrin:.&nbsp; I have tested it and it looks good with the untrusted certificates.</P><P></P><P>And for the "security feature" in FF, i will look for a workaround <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />.</P><P></P><P>But I have one more question: Do you mean it's useful to work with OCSP-Responder or CRL-Lists? Any Ideas or best practice, because there are different meanings about that?</P><P></P><P><IMG alt="" class="jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/13081_pastedImage_2.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Thu, 24 Apr 2014 14:02:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3301#M2464 ITSama 2014-04-24T14:02:55Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3302#M2465 <HTML><HEAD></HEAD><BODY><P>we don't activated that, because of a bug. But we will enable it soon again (with 6.0.2). Only crl . After enable it, you have to check the system logs, if your PA can download the crl .</P><P></P><P>BTW: read this <A _jive_internal="true" href="https://live.paloaltonetworks.com/thread/8984">https://live.paloaltonetworks.com/thread/8984</A></P></BODY></HTML> Fri, 25 Apr 2014 08:16:58 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3302#M2465 Hithead 2014-04-25T08:16:58Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3303#M2466 <HTML><HEAD></HEAD><BODY><P>This has been fixed in 6.0.2 which has been released yesterday.</P></BODY></HTML> Fri, 25 Apr 2014 08:31:24 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3303#M2466 gafrol 2014-04-25T08:31:24Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3304#M2467 <HTML><HEAD></HEAD><BODY><P>hi again,</P><P></P><P>okay i will test the OCSP with the new PAN-OS Version soon, but now I have another problem with the selfsigned certificate for the untrusted Certificates, because I get many certificate errors because the most intermediate CA's are not in the default trusted certificate list on the PA.</P><P></P><P>So what is the best way to solve the problem. It seems to be a little bit difficult to import all possible certificates for the Sub-CA's??</P></BODY></HTML> Mon, 28 Apr 2014 08:49:49 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3304#M2467 ITSama 2014-04-28T08:49:49Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3305#M2468 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>check your system and traffic logs (traffic logs from your MGT IP of PA). may you will find the some information what cannot be downloaded. Allow your PA to download the resources. </P></BODY></HTML> Fri, 09 May 2014 13:53:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-firefox-error-quot-sec-error-reused-issuer-and/m-p/3305#M2468 Hithead 2014-05-09T13:53:53Z