topic Re: GesoTrust Intermediate Certificate in General Topics

GesoTrust Intermediate Certificate

gsanchez_evendor — Tue, 21 Feb 2017 11:27:38 GMT

Hi,

We're having some issues with the Intermidiate certificate that we're using in one of our servers when trying to connect to it passing trough your firewall (installed in our client's system).

Our certificate provider is GeoTrust Inc. and I've been reading that there may be some problems with your firewall when using it.

Since only 2 users from our client will be connecting to this server; is there a way to generate this certificates manually and install them on their computers?

Any help will be greatly appreciated because I'm a little out of my depth here.

Kind Regards, Guillermo.

Re: GesoTrust Intermediate Certificate

pulukas — Tue, 21 Feb 2017 14:12:35 GMT

What type of connection is the PA brokering for your server?

Is the PA performing decryption on your traffic?

Re: GesoTrust Intermediate Certificate

TranceforLife — Tue, 21 Feb 2017 14:57:02 GMT

If no decryption implemented Palo wouldn't care about the SSL traffic and the cert used by clien/server as @pulukas mentioned. If you do have a decryption then this post might help you:

https://live.paloaltonetworks.com/t5/General-Topics/SSL-Decryption-issue-wrong-certificate/m-p/141302

Re: GesoTrust Intermediate Certificate

gsanchez_evendor — Tue, 21 Feb 2017 14:53:04 GMT

I just forwarded those 2 questions to our client.

As soon as I get a reply, I'll Post here.

Thank you so much for your help!

Re: GesoTrust Intermediate Certificate

gsanchez_evendor — Tue, 21 Feb 2017 14:55:01 GMT

Than you for the link!

I still don't know about the decryption (waiting on response from client), but I'm gonna check it out just in case.

Than so much you for the response !

Re: GesoTrust Intermediate Certificate

gsanchez_evendor — Thu, 23 Feb 2017 09:26:12 GMT

Hi,

I just got an answer, apparently PA is performing ssl decryption for my client. PA manages the firewall.

I've also been told that whitelisting this certificate "wouldn't be a good idea" so that's not an option to me.

Any ideas on how to proceed?

Thanks in advance.

Re: GesoTrust Intermediate Certificate

TranceforLife — Thu, 23 Feb 2017 11:40:32 GMT

I am a bit confused about your setup/requirements but generally, Palo (when doing decryption) will forward trust and untrust certs to the client. This video helped me to understand same as community:-) Do you have that server available on Internet, if yes this website will help you to check server ssl cert and much more:

https://www.ssllabs.com/ssltest/

https://www.youtube.com/watch?v=7o3Pjhs1qxM

Re: GesoTrust Intermediate Certificate

gsanchez_evendor — Thu, 23 Feb 2017 15:22:53 GMT

Thank you so much!!

I checked our server with the website you linked and it came up with tons of warning messages.

TLS 1.2 -> NO

TLS 1.1 -> NO

TLS 1.0 -> Yes

SSL 3 INSERCURE -> Yes --> I Think this may be it

SSL 2 -> NO

I'll forward the full report to our server provider to see what can be done.

Thank you so much for your help.

Re: GesoTrust Intermediate Certificate

TranceforLife — Thu, 23 Feb 2017 15:27:35 GMT

Looks like you need to fix the server certificate and/or exclude it from the decryption.