topic Re: SSL Decryption - Enterprise CA in General Topics

SSL Decryption - Enterprise CA

cafowler — Wed, 01 Feb 2017 16:48:49 GMT

Hi Everyone,

Recently a decision was made to implement SSL Decryption for outbound inspection. We work within a Microsoft PKI environment and are experiencing issues in signing the CSR generated by the firewall. I create the CSR based on the "how to implement and test ssl decryption" document I found via the Live Community (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption/ta-p/59719). So, the CSR is designated as a CA and set to Signed by External Authority (CSR). Unfortunately, each time I receive the certificate, the Forward Trust Certificate is greyed out. We've tried both - CA box checked and CA box unchecked, the result is the same. We did find that our SubCA's were under constraints and cannot sign, so we used the Root to perform the signing but the result is the same.

Just wondering if anyone has a suggestion or if we need to review and follow the workaround I found here: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-Microsoft-Certificate/ta-p/56757.

thank you,

Carter

Re: SSL Decryption - Enterprise CA

sullivanpj2 — Wed, 01 Feb 2017 16:57:40 GMT

I don't believe you will have to generate a CSR for this. You can either do a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure). Steps 1-4 are all done within the Microsoft Certificate Server while steps 5-6 are when you import the certificate into the firewall. Try generating a cert from within your environment and import that generated certificate into the firewall.

Generating and Importing a Certificate from Microsoft Certificate Server

On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert.
After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12).
To extract the certificate, use this openSSL[4] command:
openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys
To extract the key, use this openSSL command:
openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts
Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen.
In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.

- Peter

Re: SSL Decryption - Enterprise CA

cafowler — Thu, 09 Feb 2017 13:58:57 GMT

Thank you for the repsonse Peter, greatly appreciated. What we ended up doing is what you suggested in your first paragraph, we asked for a certificate to be issued which is a Subordinate CA. Problem solved. When I suggested the article "How to Implement Certificates Issued from Microsoft Certificate Services" it was met with hesitation, so haivng a certificate created which is a Subordinate worked out nicely.

Cheers,

Carter

Re: SSL Decryption - Enterprise CA

kchopra01 — Fri, 04 May 2018 06:23:37 GMT

Hi Peter, Just going through your solution . So , If I want to use internal PKI infra , then there is no need to generate CSR on firewall ?

What do I tell my customer like , to directly provide me the CA certificate ? I mean they dont need my CSR ? Because when I am providing CSR and importing certificate , then that forward trust option is greyed out ...

Re: SSL Decryption - Enterprise CA

Raido_Rattameister — Fri, 04 May 2018 15:13:37 GMT

You have many options.

- Generate CA cert on firewall and push it to domain member computers with Group policy

- Import existing CA into firewall and use this

- Use Subordinate CA signed by existing internal CA