https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181970#M56115 <P>This article was much more helpful.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-Microsoft-Certificate/ta-p/56757" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-Microsoft-Certificate/ta-p/56757</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Oct 2017 00:42:19 GMT s.williams1 2017-10-16T00:42:19Z https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181898#M56098 <P>I has been years since I have done anything with Microsoft CA so I am really struggling.&nbsp;</P><P>&nbsp;</P><P>Here is the problem:</P><P>&nbsp;</P><P>When enabling URL filtering and I am blocking a certain site that has HTTP and HTTPS, the HTTP page will present the block page, but the HTTPS does not.&nbsp;</P><P>&nbsp;</P><P>I am not doing any SSL Decrypt, I want to in the future but that is requiring certs too. Need to work one thing at a time.</P><P>&nbsp;</P><P>So here is the article I am trying to follow:</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an-HTTPS-Session-Without/ta-p/55998" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an-HTTPS-Session-Without/ta-p/55998</A></P><P>&nbsp;</P><P><SPAN>&nbsp;<EM>A certificate to be used for Forward Trust on the Palo Alto Networks device. where it is one of the following:</EM></SPAN></P><UL><LI><EM>A self-signed/self-generated certificate with which the box for "Certificate Authority" has been checked&nbsp;</EM><BR /><EM><STRONG>Note:</STRONG>&nbsp;if using a self-signed/sef-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors</EM></LI><LI><EM>An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA.</EM></LI></UL><P>&nbsp;</P><P>The first option requires me to give my self signed cert to the Systems team and have deploy it out via GP to all clients, that could take a while. So I want the second option. My environment doesnt have an intermediate CA, just a Root CA, so I should be able to import that since all clients already have this cert.&nbsp;</P><P>&nbsp;</P><P>What I can find is how to get the root CA cert on the palo alto. Do I need to do a CSR, I am unsure how to get the root cert with cert and key. I can export it out of my local domain machine, but there is not a key so its useless. So when working with Palo Alto in a MS CA enviroment are there more in depth articles on to perform some of these tasks?</P><P>&nbsp;</P> Sat, 14 Oct 2017 19:54:52 GMT https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181898#M56098 s.williams1 2017-10-14T19:54:52Z https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181906#M56099 <P>Update -</P><P>&nbsp;</P><P>I have figured out how to get a sub ca cert in my PA, with some help of Microsoft articles on how to create a template and then generate a CSR within the PA. So for a test I assinged that cert to my WEB GUI authentication to test. When accessing the firewall within Microsoft IE it works flawlessly, no cert errors on HTTPS. Chrome and firefox not so much, obvioulsy when its a MS PKI its going to work just fine in IE, but how do I get this to work within Chrome and Firefox? I cannot go around to all user browsers and install this cert, its not realistic.&nbsp;</P> Sun, 15 Oct 2017 02:18:05 GMT https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181906#M56099 s.williams1 2017-10-15T02:18:05Z https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181908#M56101 <P>Decrypt is in place, but keep getting this error in the browser:</P><P>&nbsp;</P><P><SPAN>NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM</SPAN></P><P>&nbsp;</P><P><SPAN>So if I just type "google.com" it redirects it to https and thats the error I get, I cannot not continue. So looking into the error:</SPAN></P><P>&nbsp;</P><DIV class="security-explanation security-explanation-insecure"><DIV class="security-explanation-text"><DIV class="security-explanation-title">Certificate error</DIV><DIV>There are issues with the site's certificate chain (net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM).</DIV></DIV></DIV><DIV class="security-explanation security-explanation-neutral"><DIV class="security-property security-property-neutral">&nbsp;</DIV><DIV class="security-explanation-text"><DIV class="security-explanation-title">SHA-1 certificate</DIV><DIV>The certificate chain for this site contains a certificate signed using SHA-1.</DIV><DIV>&nbsp;</DIV><DIV>So it would appear that while my Palo Alto cert is SHA256 hash algorithm, my Root CA is SHA1 <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></DIV><DIV>&nbsp;</DIV><DIV>And from what I can read SHA1 is not supported with chrome, and I assume most modern browsers. So I assume then when the traffic is being Proxied via the firewall cert and it starts to verify the chain and sees SHA1 it breaks.</DIV><DIV>&nbsp;</DIV><DIV>ANy work arounds to this?</DIV><DIV>&nbsp;</DIV></DIV></DIV> Sun, 15 Oct 2017 03:09:52 GMT https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181908#M56101 s.williams1 2017-10-15T03:09:52Z https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181942#M56105 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71957">@s.williams1</a></P><P>&nbsp;</P><P>Are you sure that your CA cert is a SHA256 cert on the firewall? Or did you sign your CA cert with an intermediate CA instead of the root?&nbsp;</P><P>Chrome should not complain about SHA1 as root cert (at least not now). Chrome only gives you this error when there is a SHA1 CA which is not the root.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Sun, 15 Oct 2017 12:17:43 GMT https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181942#M56105 Remo 2017-10-15T12:17:43Z https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181948#M56107 <P>My environment doesnt have an intermediate CA.&nbsp;</P><P>&nbsp;</P><P>I followed this article here:</P><P><A href="https://digitalscepter.com/blog/entry/ssl-decryption-implementation" target="_blank">https://digitalscepter.com/blog/entry/ssl-decryption-implementation</A></P><P>&nbsp;</P><P>I went to my CA server, copied the "subordinate CA template" and renamed it to something with Palo Alto in it. Deployed the template to the CA.&nbsp;</P><P>&nbsp;</P><P>Took the CSR from the generated cert on the palo alto and pasted it into the web enrollment part of the CA and selected the template, downloaded that CA and imported into the Firewall. It is valid.&nbsp;</P><P>&nbsp;</P><P>What am I missing?&nbsp;</P> Sun, 15 Oct 2017 13:55:03 GMT https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181948#M56107 s.williams1 2017-10-15T13:55:03Z https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181970#M56115 <P>This article was much more helpful.</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-Microsoft-Certificate/ta-p/56757" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-Microsoft-Certificate/ta-p/56757</A></P><P>&nbsp;</P><P>&nbsp;</P> Mon, 16 Oct 2017 00:42:19 GMT https://live.paloaltonetworks.com/t5/general-topics/need-assistance-with-certs-and-firewall/m-p/181970#M56115 s.williams1 2017-10-16T00:42:19Z