https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249159#M70863 <P>You can generate a new certificate for GUI as well, but you need not to. you can use the same root cert for GUI as well. call it under ssl/tls service profile. use it under management configuration.</P> Thu, 07 Feb 2019 08:38:12 GMT Abdul_Razaq 2019-02-07T08:38:12Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249072#M70850 <P>i have local trusted root CA on the PA.</P><P>Also i have ssl decryption cert on the PA.</P><P>&nbsp;</P><P>Is it possible i can create new cert from root and use it for web gui?</P> Wed, 06 Feb 2019 20:34:57 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249072#M70850 MP18 2019-02-06T20:34:57Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249159#M70863 <P>You can generate a new certificate for GUI as well, but you need not to. you can use the same root cert for GUI as well. call it under ssl/tls service profile. use it under management configuration.</P> Thu, 07 Feb 2019 08:38:12 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249159#M70863 Abdul_Razaq 2019-02-07T08:38:12Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249191#M70870 <P>it do not work.</P><P>under ssl/tls profile the CA root ceret does not show up?</P> Thu, 07 Feb 2019 12:55:46 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249191#M70870 MP18 2019-02-07T12:55:46Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249202#M70874 <P>Do you have private key of same certificate inside PA ? . then only you can use the certificate for web access</P> Thu, 07 Feb 2019 13:54:02 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249202#M70874 Abdul_Razaq 2019-02-07T13:54:02Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249386#M70920 <P>No CA root cert has no private key checked.</P> Fri, 08 Feb 2019 03:39:39 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/249386#M70920 MP18 2019-02-08T03:39:39Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250287#M71186 <P>any one can answer this?</P> Fri, 15 Feb 2019 21:09:32 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250287#M71186 MP18 2019-02-15T21:09:32Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250293#M71190 <P>Abdul eluded to it - you can't generate a new cert from that root without the private key. If that was a thing you could do, you could just grab GoDaddy or Letsencrypt's public root cert and create a valid cert for any domain. It's a fundamental part of PKI - ff you don't have the private key, you can't sign a new cert issued by that CA.</P> Fri, 15 Feb 2019 22:04:48 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250293#M71190 gwesson 2019-02-15T22:04:48Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250295#M71192 <P>Many thanks for answering the question.</P> Fri, 15 Feb 2019 22:23:44 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250295#M71192 MP18 2019-02-15T22:23:44Z https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250309#M71196 <P>Besides the fact that the whole trust system of the PKI wouln't work if everyone could sign certs with a publoc key, the money-making machine of the public CA also wouln't work <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 16 Feb 2019 13:13:35 GMT https://live.paloaltonetworks.com/t5/general-topics/creating-new-cert-from-local-trusted-root-ca/m-p/250309#M71196 Remo 2019-02-16T13:13:35Z