topic Re: Web-gui access with no secure certificate. in General Topics

Web-gui access with no secure certificate.

SaulGlz — Fri, 04 Oct 2019 00:20:03 GMT

I access via GUI from Chrome and observe that the connection is not secure.

I created the certificate for the firewall, but Chrome keeps saying that my connection is not secure.

How can I solve this problem if the AC I have is internal to the company?

Is there any way to generate certificates with AES-GCM?

in chrome, the following legend appears to me.

Re: Web-gui access with no secure certificate.

JoergSchuetter — Fri, 04 Oct 2019 08:10:48 GMT

Hello Chrome insists on seeing the fqdn also in the SAN value (subject alt(ernative) name). As long as this data is not there, it is treated as invalid.

Re: Web-gui access with no secure certificate.

SaulGlz — Fri, 04 Oct 2019 15:30:36 GMT

Just enter an alternative name, I'll try to place the same FQDN in the alternative name.

Re: Web-gui access with no secure certificate.

SaulGlz — Fri, 04 Oct 2019 21:33:11 GMT

Change the alternative name and chrome already recognized the certificate as valid.

Thanks for the support.

Re: Web-gui access with no secure certificate.

MP18 — Sun, 06 Oct 2019 14:02:04 GMT

even if you put ip address in subject alternative name it works.

Re: Web-gui access with no secure certificate.

SaulGlz — Mon, 07 Oct 2019 17:28:00 GMT

I'll Perform the test as indicated, the firewall management IP is a private IP even if I will try.

Re: Web-gui access with no secure certificate.

SaulGlz — Mon, 21 Oct 2019 18:05:53 GMT

Create the certificate by placing the device IP in the SAN and it does not work..

It only works by placing the same name on both the CN and the SAN.

Re: Web-gui access with no secure certificate.

rmfalconer — Mon, 21 Oct 2019 19:46:29 GMT

When creating SAN entries, you always put the common name as a SAN entry as well.

If you add the IP address as a SAN entry, make sure the type is IP Address (v4) instead of DNS name.

When I create certificates for devices like a PA, I do as shown below. The cert will be valid if you access with FQDN, short name or IP.

Common Name = devicename.domain.com

SAN:

DNS= devicename.domain.com

DNS= devicename

IP Address (v4) = IP Address

Re: Web-gui access with no secure certificate.

OmkarM — Wed, 10 Aug 2022 13:18:28 GMT

Hi Team,

I was able to solve the issue by using below KB for adding SAN name in certificate

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluVCAS

Generated Self-Signed certificate in PA,then in certificate attributes add hostname and IP same as management address.

Here hostname denotes as SAN name (Subject Alternative Name)

Attach certificate to TLS Profile and that TLS profile to SSL/TLS management interface to login in GUI via TLS1.1/2

Attached reference screenshot