topic Re: SSL CSR SAN Multiple Uses in General Topics

SSL CSR SAN Multiple Uses

mike406 — Thu, 08 Feb 2018 01:07:24 GMT

PA-5220, 8.0

I need to generate a CSR for a cert that will be used for multiple things - web gui admin, globalprotect vpn, etc. The instructions for how to gen the CSR with subject alternative names are not clear.

Should the common name be one of the uses e.g. vpn.mycompany.com or should the common name be *.mycompany.com with all host names listed as attributes e.g. vpn.mycompany.com, webgui.mycompany.com, etc.

Re: SSL CSR SAN Multiple Uses

Mick_Ball — Thu, 08 Feb 2018 10:47:34 GMT

i'm not sure what instructions you were following but it may be a mixture of wildcard/SAN cert..

CN=vpn.mycompany.com

certificate attributes

hostname=webgui.mycompamy.com

hostname=vpn2.mycompamy.com

hostname=anyfink.mycompamy.com

as per... https://live.paloaltonetworks.com/t5/Management-Articles/Creating-Certificate-Subject-Alternate-Names/ta-p/58424

Re: SSL CSR SAN Multiple Uses

mike406 — Thu, 08 Feb 2018 13:40:10 GMT

8.0 documentation is where I got confused. See bolded text below. Why would a Host Name attribute match the Common Name?

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/certificate-management/obtain-certificates/obtain-a-certificate-from-an-external-ca

9. (Optional) Add the Certificate Attributes to uniquely identify the firewall and the service that will use the certificate.

If you add a Host Name attribute, it is a best practice for it to match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.

Re: SSL CSR SAN Multiple Uses

Mick_Ball — Thu, 08 Feb 2018 14:01:07 GMT

I think what its trying to say that if your CN is fred.com and your portal address dns resloves to fred.com then adding joe.com to the SAN will cause a cert issue for GP.

so... your get request is for fred.com but the trusted cert will have a hostname of joe.com...

in their example you dont need to add a hostname attribute, the SAN of fred.com will be assumed.

so... for the case of a single host cert, if you are going to add hostname attribute (not actually required) then keep it the same as the CN.

the ref doc link you provided is not really for SAN certs.

Re: SSL CSR SAN Multiple Uses

Mick_Ball — Thu, 08 Feb 2018 17:35:20 GMT

Hmmm... just re-read my previous post and I obviously have no idea what I'm talking about...

i need to re-read the statement "9" note in that document.

below... from Palo...

perhaps someone else can decypher this....

Re: SSL CSR SAN Multiple Uses

mike406 — Thu, 08 Feb 2018 23:13:33 GMT

I've got the web gui configured for now. Had to gen a new CSR and make sure to include SANs for web gui, etc.

Next step is to configure GlobalProtect with the cert.