topic Re: SSL Certificates from enterprise CA in General Topics

SSL Certificates from enterprise CA

RobinClayton — Tue, 11 Jun 2019 15:12:59 GMT

I will admit, certificates are one of my bigest hates.. I just can't get on with them

Firstly we have a microsoft EnterPrise CA. Which I am not overly familiar with anyway ( But I have managed to get the web interface workig on it...)

Idealy what I would love is top be able to generate certificates on the firewall that are trusted by all clients...

But I can start small!

I have followed many BITTY guides to try and pice together some thing that works, but keep getting no good success.

Firstly I would like a certificate that works for the management login page! Tried many thing ( creating a sigingin request, importing the CA [i think] from Microsoft, trying SubordinateCA's ) But nothing works on the login page , and yes I am attaching the service profile in the device config..

Then I need to create decryption certificates, but that's the next step.

Loosing the will to live.

Rob

Re: SSL Certificates from enterprise CA

OtakarKlier — Tue, 11 Jun 2019 16:33:14 GMT

Hello,

This is the article you will need to follow for the management interface certificate:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK

For the SSL decryption, you'll need a Subordinate CA certificate so it can generate certs on the fly.

https://live.paloaltonetworks.com/t5/Blogs/Generating-Certificates-from-CSR-for-Decryption/ba-p/171008

Regards,

Re: SSL Certificates from enterprise CA

RobinClayton — Wed, 12 Jun 2019 10:27:01 GMT

Yes followed those a million times over and could not get a certificate that was trusted by Chrome (Don't use IE as the Palo interface causes it to SWALLOW memory)....

After a bit more digging, looking at the chrome error "ERR_CERT_COMMON_NAME_INVALID" this is actually a bit of a poor eroor message. Chrome aparently looks at the cert for a SAN, supposedly..

During the PA certificate generation there is no option to populate the SAN attribute.

So, when generating this through the web interface on the Internal CA, you can manualy add the attribute.

After importing that cert and deleting all my unsuccessful previous attemtps from the CA...

Cheers

Rob

Re: SSL Certificates from enterprise CA

RobinClayton — Thu, 13 Jun 2019 08:18:44 GMT

So,

I have no idea how I got this to work yesterday, I did some further work and removed the workign certificate then could not get it to work again????

On inspecting the certificates that were being generated I could see there was no SAN entries??? But no errors were generated.

I tried on the CLI of the CA server, and got the same, certificates were generated with no errors but no SAN 😞

I tried on the CLI of the CA server, but using our old CA to generate the cert, certificates were generated with no errors but and SAN was listed.

Bit of furhter researcha nd discovered that you can enable/disable SAN on certificates..

There are policies for certificate creation and one is ( EDITF_ATTRIBUTESUBJECTALTNAME2 ) for SAN.

It's a registry key but, we can also do this

To view the policy we use...

certutil -getreg policy\EditFlags

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\cumberland-PROD-MSAPP01-CA-1\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:

EditFlags REG_DWORD = 11014e (1114446)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -getreg command completed successfully.

And to update the policy

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Old Value:
EditFlags REG_DWORD = 11014e (1114446)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)

New Value:
EditFlags REG_DWORD = 15014e (1376590)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ATTRIBUTESUBJECTALTNAME2 -- 40000 (262144)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

After restarting CERT Service, SAN creation now works.

I can now create a certificate with SAN names for all our firewalls and that will be accepted by Chrome.

Rob

Re: SSL Certificates from enterprise CA

OtakarKlier — Thu, 13 Jun 2019 15:43:29 GMT

Hello,

Nice writeup!

Cheers!