https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44877#M32952 <HTML><HEAD></HEAD><BODY><P>Hi Panlst,</P><P></P><P>Since the certificate will be from the firewall, visitor's page will not have any information for the browser. When the client gets certificate it would be Unknown has signed Captive portal and that would generate browser error.</P><P></P><P>With certificate from trusted 3rd party, it might say Verisign has signed Captive portal, since visitors browser already trusts Verisign cert, there will not be any errors. Hope this helps. Thank you.</P></BODY></HTML> Mon, 10 Nov 2014 15:55:08 GMT ssharma 2014-11-10T15:55:08Z https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44875#M32950 <HTML><HEAD></HEAD><BODY><P>Hi all,</P><P></P><P>To make visitors not having ssl warning for Captive portal page;</P><P>is there a way to do that without purchase a certificate ?(no way for importing cert to the clients)</P></BODY></HTML> Mon, 10 Nov 2014 15:23:33 GMT https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44875#M32950 PanIst 2014-11-10T15:23:33Z https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44876#M32951 <HTML><HEAD></HEAD><BODY><P>As per my knowledge, the answer will be "no". Self generated certificate will not match with <SPAN class="GINGER_SOFTWARE_mark">client's</SPAN> <SPAN class="GINGER_SOFTWARE_mark">( </SPAN>browser) certificate ring. Hence, it will throw a <SPAN class="GINGER_SOFTWARE_mark">cert</SPAN> warning. </P><P></P><P>Thanks</P></BODY></HTML> Mon, 10 Nov 2014 15:32:39 GMT https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44876#M32951 HULK 2014-11-10T15:32:39Z https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44877#M32952 <HTML><HEAD></HEAD><BODY><P>Hi Panlst,</P><P></P><P>Since the certificate will be from the firewall, visitor's page will not have any information for the browser. When the client gets certificate it would be Unknown has signed Captive portal and that would generate browser error.</P><P></P><P>With certificate from trusted 3rd party, it might say Verisign has signed Captive portal, since visitors browser already trusts Verisign cert, there will not be any errors. Hope this helps. Thank you.</P></BODY></HTML> Mon, 10 Nov 2014 15:55:08 GMT https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44877#M32952 ssharma 2014-11-10T15:55:08Z https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44878#M32953 <HTML><HEAD></HEAD><BODY><P>Hi Panist,</P><P></P><P>That is correct, Guest user will get certificate warning as certificate is locally generated on firewall. Guest browser doesnt know certificate hence it will generate an error.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Mon, 10 Nov 2014 16:00:18 GMT https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44878#M32953 hshah 2014-11-10T16:00:18Z https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44879#M32954 <HTML><HEAD></HEAD><BODY><P>Hello Panlst,</P><P></P><P>The answer to your question is 'No' under your conditions. In general, following are the options:</P><P></P><P>1. Use a certificate signed by 3rd party vendor like Verisign, GoDaddy, etc. This is best solution as this cert will be trusted by all the browsers irrespective of the device.</P><P>2. Use a PAN self signed certificate or domain generated sub-ordinate certificate. Install its certificate authority on the client browsers. Though technically this will work, practically it is very difficult to implement this since typically you wouldn't be knowing which device the user will be using. So not scalable.</P><P></P><P>Hope it helps.</P><P></P><P>Regards,</P><P>Dileep</P></BODY></HTML> Mon, 10 Nov 2014 16:09:33 GMT https://live.paloaltonetworks.com/t5/general-topics/about-captive-certificate/m-p/44879#M32954 dreputi 2014-11-10T16:09:33Z