https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249200#M70873 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;,&nbsp;</P><P>&nbsp;</P><P>certicate error can be because of</P><UL><LI>Not issued by trusted CA</LI><LI>Issued to someone else ( cn mismatch)</LI><LI>expired...etc</LI></UL><P>About decryption certificate,</P><P>please note that you wil get certificate error if the certificate was note issued by a trusted root CA by your browser/PC.</P><P>As no CAs will be providing a certificate with CA flag ( capable of signing certificate) because of security reasons, you will be generating this in PA, which means it is self signed, so it is not trusted by any browser/machine otherthan this PA unless you manually import this cert in PC/browsers trusterd authority.</P><P>so when you use this cert for web GUI, it is expected that you will get the error. you can just use it</P><P>&nbsp;</P><P>If you want a trusted certificate for your web access to avoid warning, you can get it from any of trusted CA, need put one of fqdn/ip in common name field, add other one alternative name. import in palo alto, use it for web access. this is cost involved..</P> Thu, 07 Feb 2019 13:52:56 GMT Abdul_Razaq 2019-02-07T13:52:56Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249063#M70849 <P>we have ssl decryption enabled and using our own CA as Internal Root Certificate.</P><P>&nbsp;</P><P>For webgui we get cert warning can i use same cert for Web gui to PA?</P> Wed, 06 Feb 2019 20:11:06 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249063#M70849 MP18 2019-02-06T20:11:06Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249088#M70851 <P>The cert you use for the gui will cause warnings for the same reason that any cert does. If the cert used for the gui is issued by an authority that your endpoint trusts, has the correct name and isn't expired, it shouldn't cause a warning.</P><P>For the gui, I create a cert with the firewall fqdn as the subject with&nbsp;SAN entries for the fqdn, firewall name and IP address. This tends to catch how we connect to the gui and eliminates errors.</P> Wed, 06 Feb 2019 22:07:32 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249088#M70851 rmfalconer 2019-02-06T22:07:32Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249090#M70852 <P>i already have Trusted Root CA that all pc trusts.</P><P>SSL decrypt cert&nbsp; is created from the root as intermediate.</P><P>&nbsp;</P><P>So ok to use that for gui?</P> Wed, 06 Feb 2019 22:10:15 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249090#M70852 MP18 2019-02-06T22:10:15Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249093#M70855 <P>You can use any certificate for the gui, just select it in the TLS profile you use for the web management. But if you re-use a cert that was meant for something else, you may still get warnings.</P><P>If the current cert has a subject of firewall.company.com and you access the gui with 10.1.1.1, you'll still get a warning from the browser since the address doesn't match the info on the cert.</P> Wed, 06 Feb 2019 22:44:10 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249093#M70855 rmfalconer 2019-02-06T22:44:10Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249158#M70862 <P>Yea..you can use it for GUI as well,</P><P>the certificate you are using for forward proxy should be a CA certificate ( certificate signing should be selected under key usage while generating certificate). once you select this certificate as forward trust/untrust, this certificate will be used for proxying accordingly.</P><P>&nbsp;</P><P>The certificate used for web GUI need not to sign any other certificates, it just need to be end entity, even you can use a CA certificate as well for this purpose.</P><P>Just create a ssl/tls profile and call this certificate under. use this profile in management configuration.</P> Thu, 07 Feb 2019 08:32:16 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249158#M70862 Abdul_Razaq 2019-02-07T08:32:16Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249190#M70869 <P>I tried to use my current ssl decrtypt cert also as web gui</P><P>then i login to PA it still gives me warning message not trusted?</P> Thu, 07 Feb 2019 12:54:25 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249190#M70869 MP18 2019-02-07T12:54:25Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249200#M70873 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/75039">@MP18</a>&nbsp;,&nbsp;</P><P>&nbsp;</P><P>certicate error can be because of</P><UL><LI>Not issued by trusted CA</LI><LI>Issued to someone else ( cn mismatch)</LI><LI>expired...etc</LI></UL><P>About decryption certificate,</P><P>please note that you wil get certificate error if the certificate was note issued by a trusted root CA by your browser/PC.</P><P>As no CAs will be providing a certificate with CA flag ( capable of signing certificate) because of security reasons, you will be generating this in PA, which means it is self signed, so it is not trusted by any browser/machine otherthan this PA unless you manually import this cert in PC/browsers trusterd authority.</P><P>so when you use this cert for web GUI, it is expected that you will get the error. you can just use it</P><P>&nbsp;</P><P>If you want a trusted certificate for your web access to avoid warning, you can get it from any of trusted CA, need put one of fqdn/ip in common name field, add other one alternative name. import in palo alto, use it for web access. this is cost involved..</P> Thu, 07 Feb 2019 13:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249200#M70873 Abdul_Razaq 2019-02-07T13:52:56Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249271#M70886 <P>What are the common name and the SAN entries for the certificate? Do any of those match the URL of the web GUI?</P> Thu, 07 Feb 2019 16:57:33 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249271#M70886 rmfalconer 2019-02-07T16:57:33Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249328#M70899 <P>No common name does not match the webgui for the firewall.</P><P>SSL decryption has different common name</P> Thu, 07 Feb 2019 19:54:54 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249328#M70899 MP18 2019-02-07T19:54:54Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249332#M70901 <P>Then the warning is expected. As I said previously, the browser will give a warning if the proper name or IP address is not the CN or included as a SAN entry.</P> Thu, 07 Feb 2019 20:38:40 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249332#M70901 rmfalconer 2019-02-07T20:38:40Z https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249385#M70919 <P>Many Thanks for help</P> Fri, 08 Feb 2019 03:38:04 GMT https://live.paloaltonetworks.com/t5/general-topics/can-i-use-ssl-decryption-cert-for-web-gui/m-p/249385#M70919 MP18 2019-02-08T03:38:04Z