topic Re: Wildcard certificate on PA firewalls in General Topics

Wildcard certificate on PA firewalls

AlexandroDelAngel — Tue, 30 Oct 2018 22:51:44 GMT

Hi Team,

I'm trying to create a CSR in Panorama in order to get a wildcard certificate from our third party CA.

In order platforms, I define as common name the format *.mydomain.com but in Palo Alto I'm getting an error: Failed to generate certificate and key.

When I change the common name to .mydomain.com it allows me to create the CSR.

I just wanted to touch base with you guys in order to know about your experience working with wildcards on Palo Alto Plattform.

Any response will be very appreciated.

Thank you,

Re: Wildcard certificate on PA firewalls

Raido_Rattameister — Wed, 31 Oct 2018 00:12:00 GMT

Are you choosing Signed by External Authority (CSR)?

Try to change Certificate Name to something else but leave Common Name to *.mydomain.com

Re: Wildcard certificate on PA firewalls

Remo — Wed, 31 Oct 2018 00:33:02 GMT

Yup, just tested it as described by @Raido_Rattameister and it successfully generated a CSR for a wildcard cert.

(Remember to add *.mydomaim.com also as "hostname" when you generate the CSR)

Re: Wildcard certificate on PA firewalls

AlexandroDelAngel — Wed, 31 Oct 2018 00:35:54 GMT

Thanks for your feedback Raido,

Yes Sir, I'm choosing Signed by External Authority (CSR) and I'm still getting the same error. The error clears out when I change the Common name to .mydomain.com (removing the *).

For the Certificate Name I'm adding wildcard-mydomain-com.

Other thing I forgot to mention was that I'm choosing Algorithm Elliptic Curve DSA.

Thanks,

Re: Wildcard certificate on PA firewalls

AlexandroDelAngel — Wed, 31 Oct 2018 00:39:51 GMT

Thanks vsys,

I just tested that and got error: "request -> certificate -> generate -> hostname '*.mydomain.com' is invalid"

Could you test it for an Elliptic Curve DSA cert?

Thanks,

Re: Wildcard certificate on PA firewalls

Remo — Wed, 31 Oct 2018 00:56:36 GMT

What PAN-OS version do you have installed and are you logged in with a user that has "superuser" privileges?

Re: Wildcard certificate on PA firewalls

Raido_Rattameister — Wed, 31 Oct 2018 01:28:02 GMT

It would help to know Panorama version as @Remo mentioned.

In my case Panorama 8.1.4

Works like a charm.

Re: Wildcard certificate on PA firewalls

Rajesh12 — Wed, 31 Oct 2018 07:13:32 GMT

Works fine on PAN OS 7.1.16 too. Defined *.mydomain.com in both CN and hostname feilds with superuser account and it was generated successfully. So was the commit too.

Re: Wildcard certificate on PA firewalls

Remo — Wed, 31 Oct 2018 11:52:03 GMT

@AlexandroDelAngel

I was asking about the version and the permissions because may be you are seeing this bug (which is fixes in PAN-OS 8.0.10):

Re: Wildcard certificate on PA firewalls

AlexandroDelAngel — Wed, 31 Oct 2018 13:13:54 GMT

Thanks for your feedback Team,

Our Panorama is already in 8.0.10 and yes, my account is a superuser. I guess it's time to escalate to PA Support, I just don't want to purchase a useless wildcard certificate.

Kind Regards,

Re: Wildcard certificate on PA firewalls

Remo — Wed, 31 Oct 2018 13:56:01 GMT

Hi @AlexandroDelAngel

Yes, looks like there is something wrong. (Did you try the generation with another browser?, if you're using windows - as bad as this sounds - try it once with IE)

And while you talk about this with PA support ... you could simply use tools like openssl to generate the key and CSR for you.

Re: Wildcard certificate on PA firewalls

AlexandroDelAngel — Wed, 31 Oct 2018 14:24:11 GMT

Thanks for the recommendation vsys,

I just tried with IE and got the same error, OpenSSL will work fine for sure.

Kind Regards,

Re: Wildcard certificate on PA firewalls

AlexandroDelAngel — Fri, 02 Nov 2018 19:20:51 GMT

Hi Team,

Thank you very much everyone for your support, I left the Common Name as .mydomain.com and then on the CA directly you can indicate this is a wildcard certificate and they will prepend the * for you so the final result will be *.mydomain.com.

Then when I imported the signed certificate it was successful.

Kind Regards!