topic Re: Using Third Party Certificates on a Palo in General Topics

Using Third Party Certificates on a Palo

GNS_Support — Fri, 09 Nov 2012 15:20:51 GMT

Does anyone know what the best certificate to use on a Palo is please? We have a customer who is failing PCI compliance testing as we are using a self signed certificate which was generated on the Palo for Global Protect. Any help or advise would be greatly appreciated.

Many Thanks

Re: Using Third Party Certificates on a Palo

msullivan — Fri, 09 Nov 2012 16:38:51 GMT

There are loads of CAs that browsers will support by default. It's really a question of budget and preference. Comodo for cheap, VeriSign for good service. Never GoDaddy for anything (IMO).

Concerning PCI, you could setup a compensating control that states that all the users that connect to the service have the correct cert in their local store and are trained on how to deal with a non-trusted response. In that case you can just keep the self-signed cert. <disclaimer> I am not a QSA, your client needs to check w/ their QSA if they want to go down this road</disclaimer>

But really, so far as PAN is concerned, it shouldn't matter.

Cheers,

Mike

Re: Using Third Party Certificates on a Palo

pandragon — Mon, 12 Nov 2012 13:36:39 GMT

One workaround would be use a separate web server to buy a wildcard certificate from Commercial CA with something like *.yourdomain.com. Then export the certificate and private key file in PKCS or PEM format from that web server to PaloAlto firewall or Panorama.

I think it may not be possible to generate CSR (Certificate Signing Request) from a PaloAlto firewall as I could not see any option to do that.

Then the workaround like above helped.