topic Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c in General Topics

"Only self signed CA cert can have identical sub and issuer fields" when uploading a certificate

LuisMateosCaro — Tue, 16 Jul 2019 10:56:15 GMT

This message appears when uploading an external CA certificate to the sistem. "Only self signed CA certificates can have identical subject and issuer fields". It's a Microsoft-adfs autosigned CA certificate used to sign SAML messages and we can't not change that, you know if there's any way to upload this certificate to the system in order we can use it? thanks!

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

BH6678 — Tue, 16 Jul 2019 19:54:15 GMT

Having this same issue. Anyone help with this?

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

AndyFlatt — Fri, 20 Dec 2019 11:11:29 GMT

Snap same issue, did anyone resolve this?

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Fri, 03 Jan 2020 16:25:50 GMT

Had same issue but managed to work around this.

1) Export XML config.

2) Set the CA flag.

3) Re-Import XML config.

🙂

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

MP18 — Fri, 03 Jan 2020 17:58:59 GMT

If you are configuring Microsoft SAML for MFA then you just need to

1>Export the XML file under SAML IDentity provider.

This will automatically create the certificate for you.

2>You do not need to check the CA under the certificates.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Fri, 03 Jan 2020 22:26:53 GMT

Have you tried it yourself ?

There is no "export" option under "SAML Identity Provider". I think you meant "Import". Even if you "Import" the XML from Azure, It doesn't set the CA flag.

You still get an error on commit as well. Only way around it that I've worked out is what I mentioned previously.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

MP18 — Fri, 03 Jan 2020 22:40:00 GMT

Sorry i Mean Import the XML file to PA

Yes i tried in my environment and it works.

Also you do not want the CA Flag to check.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Fri, 03 Jan 2020 23:03:21 GMT

How have you defined your certificates under authentication profile ?

I have used a wildcard cert to sign SAML messages to IDP and the Azure Cert selected under "Certificate Profile".

The only way to select the Azure Cert for "Certificate Profile" is to ensure it has the CA flag set.

I can confirm that SAML response and assertion work.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

MP18 — Fri, 03 Jan 2020 23:08:05 GMT

Yes the Certificate which is created automatically is defined under Authentication Profile and also under SSL/TLS profile.

Are you using Azure SAML for MFA or Global protect VPN?

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Fri, 03 Jan 2020 23:17:52 GMT

How did you define it within the authentication profile, certificate profile and SSL/TLS Service Profile ?

You can only select certs which have the CA flag set under "Certificate Profiles" which is then referenced within the "authentication profile".

For the "SSL/TLS service profile" the same applies but I've used a signed wildcard cert instead and imported the chain under "Certificates" to complete the trust.

Using SAML for Global Protect VPN.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

MP18 — Fri, 03 Jan 2020 23:24:45 GMT

Correction

Typo Cert which is automatically generated from XML file is not used in Authentication profile and SSL/TLS profile

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Fri, 03 Jan 2020 23:33:22 GMT

No worries. 🙂

Think you need it for response and assertion to work correctly. Therefore, You'll need to ensure the CA flag is set.

I'm not 100% sure if that's how your supposed certs for this as neither Palo Alto nor Azure actually tell you how to do the certs correctly. 😞

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

MP18 — Mon, 06 Jan 2020 04:38:56 GMT

Yes we need that cert for response and assertion to work correctly.

I have no CA checked for these certs under the certificates.

Seems there are many ways to make the SAML work with VPN.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

JohnWade — Mon, 30 Mar 2020 12:54:56 GMT

Ok, so it seems lots of people would have this problem since self signed certs for SAML Identity providers are probably best practice. (We started with a CA signed cert but then after doing certificate rollover with 40+ service providers a year and a half later decided this was insane.)

Palo Alto support tells me to either use a CA cert or generate a new cert in PaloAlto. Either way would force me into the certificate rollover process with all my service providers) Did anyone ever figure out a trick or workaround for this? This thread is not auspicious.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Tue, 31 Mar 2020 11:26:37 GMT

You tried the workaround I mentioned ?

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

JohnWade — Tue, 31 Mar 2020 12:07:38 GMT

Thanks for replying, I really appreciate it. As to the workaround, maybe I am dense, but I dumped out the xml and reviewed the <certificate> block. Each existing certificate is present and I can see how to change the the <ca></ca> flag, but since I can't import the certificate I need, it is not in this section. I thought I could just manually add the needed certificate to this section since I have the PEM encoded public key for the certificate, and I can pull most of the fields from the cert, but I was stumped by the subject and issuer hash tags, since I am not aware of what hashing algorithm they are using. (See below for an example CA entry.)

I admit, I must be missing something obvious, can you guide me in the error of my ways?

Thanks,

John

<entry name="DigiCertCA">
<subject-hash>58754cf2</subject-hash>
<issuer-hash>81b9768f</issuer-hash>
<not-valid-before>Oct 22 12:00:00 2013 GMT</not-valid-before>
<issuer>/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA</issuer>
<not-valid-after>Oct 22 12:00:00 2028 GMT</not-valid-after>
<common-name>DigiCert SHA2 High Assurance Server CA</common-name>
<algorithm>RSA</algorithm>
<expiry-epoch>1855828800</expiry-epoch>
<ca>yes</ca>
<subject>/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA</subject>

<public-key>-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
</public-key>
</entry>

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Wed, 01 Apr 2020 11:33:11 GMT

Is that the actual certificate ?

It's a root CA so it's going to have the CA flag already set.

Export candidate-config:

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

JohnWade — Wed, 01 Apr 2020 12:45:16 GMT

No, sorry if this was not clear. As I noted, this is just an example certificate from an existing CA taken from the XML config export. Since I can't import the certificate I need to add through the GUI, it is not in the export to tweak.

I included the example section to illustrate the fields you would need to have to manually create a certificate entry and import the config. I think I could put correct values in for most of them but am stumped by what hashing algorithm PaloAlto is using to generate the

<subject-hash>58754cf2</subject-hash>
<issuer-hash>81b9768f</issuer-hash>

Thanks!

But maybe I don't need to go down this path. Do you know of another way?

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

Nehmaan — Wed, 01 Apr 2020 13:10:39 GMT

Nothing to do with Palo, Here you go mate.

Re: "Only self signed CA cert can have identical sub and issuer fields" when uploading a c

JohnWade — Wed, 01 Apr 2020 13:23:05 GMT

Easy enough, will give it a try. Should have Googled it or gone to openssl rather than relying on Window's lame SSL cert tools. Thanks a million