topic Re: Cert key import in General Topics

Cert key import

jdprovine — Mon, 27 Mar 2017 18:54:19 GMT

What is the best way to import a key for a globalprotect portal? I already have CA installed.

Re: Cert key import

TranceforLife — Mon, 27 Mar 2017 20:33:39 GMT

Hi,

Just did recently. I used COMODO (think it is 4-5 £ per year). So generated CSR, sent to comodo. Received back signed cert (did only DV check) imported the cert to the firewall as well as the private key (i used .txt file). Private key will be encrypted l think by Master Key on PA. Created an SSL Profile and used with GP configuration.

Re: Cert key import

jdprovine — Mon, 27 Mar 2017 20:38:03 GMT

yeah I believe I only need to add the key not the cert.

Re: Cert key import

gwesson — Mon, 27 Mar 2017 20:48:37 GMT

When using a public CA, the chain is vitally important to get right. It can be done wrong, and cause some issues. Here's a doc I wrote a few years that goes into the details:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523

Re: Cert key import

jdprovine — Mon, 27 Mar 2017 20:55:50 GMT

I am using a internal CA , we have our own CA server setup in our networkl I created the key on it

Re: Cert key import

jdprovine — Wed, 29 Mar 2017 16:38:23 GMT

so do i choose import and then browse to the key or do I need to chain it to the CA that is already installed on the PA

Re: Cert key import

TranceforLife — Wed, 29 Mar 2017 16:54:21 GMT

So l had a .crt certificate + .txt private key. Imported both and everything works as it should

Re: Cert key import

jdprovine — Wed, 29 Mar 2017 19:50:45 GMT

There is already an existing .crt on the box I just need to add the key but I am not sure what the right procedure is

Re: Cert key import

TranceforLife — Wed, 29 Mar 2017 21:02:11 GMT

As far as l know you should have your private key as a separate file and while importing the certificate into the box use the option to add a private key as below:

When you finish you should see cert with private key uploaded and ready to be used:

If you uploaded the cert without the key l don't think you can use it as you will not be able to decrypt the data.

Re-upload the cert same time importing the private key.

Re: Cert key import

jdprovine — Wed, 29 Mar 2017 21:09:10 GMT

Okay that makes sense and thanks for the screen shots. So are you basically chain it to the existing cert?

Re: Cert key import

TranceforLife — Wed, 29 Mar 2017 21:37:08 GMT

l don't really know what exactly is happening behind the scenes but to me you uploading a digital certificate (its signed by trusted authority as well as contains a public key):

When SSL handshake is completed, the client will encrypt the data with the Public Key taken from the cert. For you to be able to decrypt you need to have a private key. Is it chained with cert when you uploading or not I am not sure and don't know much about the certs format. Sorry

Re: Cert key import

bradk14 — Thu, 30 Mar 2017 00:03:11 GMT

if I am understanding everything correctly, if you've already generated the CSR on the PA and thus it already has the private key installed, then yes, just import the public key from the CA. The PA should marry the two automatically.

Re: Cert key import

jdprovine — Thu, 30 Mar 2017 13:10:47 GMT

I have my own trusted root CA server and can generate my own certs and keys. Currently it has a the trusted root CA certificate installed and I want to add another key for another global protect portal on the PA and would like to add a cert and key to it.

Re: Cert key import

bradk14 — Thu, 30 Mar 2017 14:49:00 GMT

so then generate a new certificate, making sure you don't check the CA button to create and export the CSR, run the CSR through your enterprise CA and then import the resulting public key.

https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Generate-a-CSR-Certificate-Signing-Request-amp-Import-the/ta-p/53593

Re: Cert key import

jdprovine — Fri, 31 Mar 2017 16:30:35 GMT

can I add a key to an existing csr since we have global one?