https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39499#M28982 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have a PA500 (OS 5.0.11)</P><P>I already configured it for SSL Decryption with a self signed certificate.</P><P>I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.</P><P>Question is: can I use my wildcard certificate for SSL Decryption?</P><P>How?</P><P>I try to import my certificate but I cannot use it for SSL Decryption</P><P><IMG alt="" class="image-0 jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/14120_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Thanks</P><P>Regards</P></BODY></HTML> Wed, 25 Jun 2014 14:58:08 GMT diennea 2014-06-25T14:58:08Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39499#M28982 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>I have a PA500 (OS 5.0.11)</P><P>I already configured it for SSL Decryption with a self signed certificate.</P><P>I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.</P><P>Question is: can I use my wildcard certificate for SSL Decryption?</P><P>How?</P><P>I try to import my certificate but I cannot use it for SSL Decryption</P><P><IMG alt="" class="image-0 jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/14120_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P><P></P><P>Thanks</P><P>Regards</P></BODY></HTML> Wed, 25 Jun 2014 14:58:08 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39499#M28982 diennea 2014-06-25T14:58:08Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39500#M28983 <HTML><HEAD></HEAD><BODY><P>Hi !</P><P></P><P>For SSL decryption you'll need a CA certificate as it will be posing as the signing certificate of the websites the users are accessing.</P><P></P><P>A document that may come in handy</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1412">How to Implement SSL Decryption</A></P><P></P><P></P><P>regards</P><P>Tom</P></BODY></HTML> Wed, 25 Jun 2014 15:03:02 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39500#M28983 reaper 2014-06-25T15:03:02Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39501#M28984 <HTML><HEAD></HEAD><BODY><P>Thanks but in case of a Certification Authority like Verisign or Digicert I need to request a new certificate (signed by them) or I need to import a root certificate?</P><P></P><P>Thanks</P></BODY></HTML> Wed, 25 Jun 2014 15:26:12 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39501#M28984 diennea 2014-06-25T15:26:12Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39502#M28985 <HTML><HEAD></HEAD><BODY><P>In case of CA like verisign or digicert, you need to import chained certificate signed by the Public CA</P><P></P><P>This document is very helpful:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-4289">How to Install a Chained Certificate Signed by a Public CA</A></P></BODY></HTML> Wed, 25 Jun 2014 15:31:51 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39502#M28985 Mystique 2014-06-25T15:31:51Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39503#M28986 <HTML><HEAD></HEAD><BODY><P>I follow this guide and I create a pkcs12 chained certificate with this command:</P><P>openssl pkcs12 -export -in <EM>[certificate.pem]</EM> -inkey <EM>[certificate.key]</EM> -CAfile <EM>[chain.cer]</EM> -caname digicert -out <EM>[server-chain.p12]</EM> -name digicert -chain</P><P></P><P>but when I import my certificate (IMPORTANT: it is a <STRONG>web server certificate</STRONG>) it is not recognized as a CA.</P><P>I think problem is that my certificate was request for a web server.</P><P>If I try to install DigiCert CA root certificate it is recognized as a CA but I cannot use it for decryption.</P></BODY></HTML> Thu, 26 Jun 2014 10:26:34 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39503#M28986 diennea 2014-06-26T10:26:34Z https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39504#M28987 <HTML><HEAD></HEAD><BODY><P>You cannot use a certificate from a public CA like VeriSign or Digicert. A public CA will never give a subordinate (intermediate) CA certificate to someone outside their trust. With a subordinate certificate, you can create new certs that are trusted to the root, even for existing and common sites.</P><P></P><P>For SSL decryption, you need to use an internal CA certificate or generate a self-signed certificate on the firewall and use that. In both instances, you will need to distribute the public key of that certificate to all clients you wish to be decrypted.</P><P></P><P>Hope this helps,</P><P>Greg</P></BODY></HTML> Thu, 26 Jun 2014 16:44:33 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-certificate/m-p/39504#M28987 gwesson 2014-06-26T16:44:33Z