https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79271#M43223 <P>Hi Guys,</P> <P>&nbsp;</P> <P>Can you explain to me what types of the certificates l can use and where can l get them from? &nbsp;For SSL decryption, we do not want to use the self-signed cert.</P> <P>&nbsp;</P> <P>Thank you,</P> <P>Mykhaylo</P> Tue, 07 Jun 2016 13:08:34 GMT Transporter 2016-06-07T13:08:34Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79271#M43223 <P>Hi Guys,</P> <P>&nbsp;</P> <P>Can you explain to me what types of the certificates l can use and where can l get them from? &nbsp;For SSL decryption, we do not want to use the self-signed cert.</P> <P>&nbsp;</P> <P>Thank you,</P> <P>Mykhaylo</P> Tue, 07 Jun 2016 13:08:34 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79271#M43223 Transporter 2016-06-07T13:08:34Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79275#M43225 <P>Hello Mykhaylo,</P> <P>&nbsp;</P> <P>You will need a root certificate/subordinate certifcate. Essentially you need a certificate that will be used to&nbsp;generate a new certificate based off the original certificate in the handshake, the certificate that is generated will then be signed by the certificate you choose for decryption.</P> <P>&nbsp;</P> <P>It is highly unlikely you will get a certificate like this from a public authority, if you could get this kind of certificate then you could decrypt public traffic which would invalidate the use of public key infrastructure on the internet.</P> <P>&nbsp;</P> <P>hope this helps,</P> <P>Ben</P> Tue, 07 Jun 2016 13:57:55 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79275#M43225 bmorris1 2016-06-07T13:57:55Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79277#M43226 <P>Hi Mykhaylo,</P> <P>&nbsp;</P> <P>We have to use a root CA certificate for decryption. We should have both root ca certificate public key and private key.</P> <P>&nbsp;</P> <P>Why we need root ca is because whenever a client initiate a ssl handshake to a server firewall will intercept that request and then firewall will send a client hello from itself to server now server will reply for that client hello with server hello and it will also give a certificate. Firewall will take all field of the certificate sent from server and generate a similar certificate sign this new certificate with root CA&nbsp; cert this newly signed certificate is forwarded to actual client.&nbsp; Only a root CA certificate can generate/sign a certificate.</P> <P>&nbsp;</P> <P>No CA server will give their root CA certificate private key to anyone. So we have to use a selfsigned root certificate.</P> <P>&nbsp;</P> <P>Hope this helps!</P> Tue, 07 Jun 2016 14:03:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79277#M43226 pankaku 2016-06-07T14:03:30Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79290#M43233 <P>Thanks guys</P> Tue, 07 Jun 2016 14:57:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79290#M43233 Transporter 2016-06-07T14:57:00Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79295#M43236 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/8358">@Pankaj</a>.kumar wrote:<BR /> <P>Hi Mykhaylo,</P> <P>&nbsp;</P> <P>We have to use a root CA certificate for decryption. We should have both root ca certificate public key and private key.</P> <P>&nbsp;</P> <P>Why we need root ca is because whenever a client initiate a ssl handshake to a server firewall will intercept that request and then firewall will send a client hello from itself to server now server will reply for that client hello with server hello and it will also give a certificate. Firewall will take all field of the certificate sent from server and generate a similar certificate sign this new certificate with root CA&nbsp; cert this newly signed certificate is forwarded to actual client.&nbsp; Only a root CA certificate can generate/sign a certificate.</P> <P>&nbsp;</P> <P>No CA server will give their root CA certificate private key to anyone. So we have to use a selfsigned root certificate.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <HR /></BLOCKQUOTE> <P>&nbsp;</P> <P>You don't need to use a root CA certificate.&nbsp; What I did was issue a subordinate CA certificate from our internal intermediate issuing CA and use that as the Forward Trust Certificate in PAN-OS.&nbsp; This way, all of our clients already trust certificates issued by the PAN NGFW because they trust the root CA certificate at the base of the chain.&nbsp; Additionally, if the private key for the Forward Trust Certificate was ever compromised, we could always revoke the certificate using our intermediate CA.</P> <P>&nbsp;</P> <P>In my opinion, this is a much simpler and more secure method than making the PAN NGFW its own root CA.</P> Tue, 07 Jun 2016 15:39:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79295#M43236 scottsander 2016-06-07T15:39:57Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79334#M43244 <P>Yes It can be a subordidnate CA cert. Main point is it should be a ca&nbsp;cert.</P> Tue, 20 Sep 2016 22:53:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-what-kind-of-the-certificate-l-can-use/m-p/79334#M43244 pankaku 2016-09-20T22:53:03Z