Forward Trust Certificate

Suhaimi — Tue, 24 Dec 2013 04:49:17 GMT

Hi,

In my office environment, we have an internal certificate that we have been using prior to installing PAN device. Lately after installing PAN, our office staff are always getting certificate warnings whenever they visit a SSL enabled website.

I read in the PAN documents that a self-signed certificate generated by PAN firewall will eliminate this certificate warnings. My question is, do I need to generate a new self-signed certificate or can I use our internal certificate for connection to Internet?

Thanks

Re: Forward Trust Certificate

tasonibare — Tue, 24 Dec 2013 10:58:37 GMT

Suhaimi,

Whenever there are certificate warnings with SSL websites, it means there's something about the certificate presented that the client browsers do not trust.

You should be able to use the existing certificate as long as you import the cert into your firewall along with its private key, and that certificate is included in the Trusted Root CA store on your staff's workstations (if it is a root CA certificate).

If the existing certificate is not a root CA cert, make sure that you also import the root CA's cert that signed that certificate into the PAN. If this step is not done, the firewall will not pass the entire certificate chain to the internal hosts and since the infomation about the root CA is missing, there would always be a warning that the cert is not trusted.

Here are some documents related to this problem and how to chain a certificate with its root cert to be imported into the PAN.

https://live.paloaltonetworks.com/docs/DOC-2287

https://live.paloaltonetworks.com/docs/DOC-1327

https://live.paloaltonetworks.com/docs/DOC-4289

Regards,

tasonibare

topic Re: Forward Trust Certificate in General Topics

Forward Trust Certificate

Re: Forward Trust Certificate