topic Re: SSL inbound inspection cert in General Topics

SSL inbound inspection cert

raji_toor — Tue, 23 Jun 2020 18:30:16 GMT

Might be silly question, For inbound inspection does the cert has to be a CA.

We use a wildcart so that will have to imported as CA, correct?

Re: SSL inbound inspection cert

raji_toor — Tue, 23 Jun 2020 21:06:29 GMT

Are there any KB articles or resources for import a certificate for inbound SSL inspection. We do have outbound SSL inspection working with certificate from our internal CA.

Re: SSL inbound inspection cert

jdelio — Tue, 23 Jun 2020 21:30:51 GMT

The thing about a Decryption Certificate is that it needs to create certificates on the fly as part of the decryption process (Man in the Middle). You cannot purchase a 3rd Party CA (Certificate Authority) , as there is no way that GoDaddy or anyone else would allow you to create their SSL Certs (what a CA does). You either have to have an internal CA that you grant a CA to the Firewall to use as its own (And be trusted) or to use the Firewall as the CA.

Just about every SSL article that we have talks about using the built in CA on the Firewall, but I will see if I can find any that may explain the use of an External CA.

Re: SSL inbound inspection cert

raji_toor — Tue, 23 Jun 2020 21:36:59 GMT

@jdelio Thanks for response..Yes all articles and videos show with self signed cert. But i can't use this self signed cert for our publicly exposed websites, it has to be a cert from external CA. Self signed can work if it was outbound encryption, which we are already performing with cert from our internal CA.

Re: SSL inbound inspection cert

jdelio — Tue, 23 Jun 2020 21:45:04 GMT

OK, you are talking about 2 things..

1. Outbound SSL Decryption - Where you use an Internal CA as the CA to create certs for internal users so they natively trust the CA cert.

2. Inbound SSL Decryption - Where you have a Web server that you want the firewall to decrypt traffic on behalf of.

In the second case, you end up using the Certificate from the Web Server. Essentially Posing AS that Web server, so you can decrypt and encrypt the traffic.

So, wherever you purchased the Cert for the Web server, you would just install that certificate on the firewall and use that cert for Inbound SSL decryption.. I am sure we have something on that..

Re: SSL inbound inspection cert

jdelio — Tue, 23 Jun 2020 21:50:28 GMT

Here is one that I created on SSL decryption

https://live.paloaltonetworks.com/t5/tutorials/how-to-configure-ssl-decryption/ta-p/65073

Also, FYI here is the SSL Decryption resource list:

https://live.paloaltonetworks.com/t5/management-articles/ssl-decryption-resource-list/ta-p/70397

hope this helps..

Re: SSL inbound inspection cert

BPry — Wed, 24 Jun 2020 04:40:00 GMT

@raji_toor,

When setting up inbound inspection the certificate won't be a CA cert, you're just going to import the certificate and the private key. The following documentation will walk you through the setup process. Just keep in mind you'll likely want to limit the decryption rule base entry to a select test IP when getting everything setup so you don't cause any security issues on your public resource.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/configure-ssl-inbound-inspection.html

Re: SSL inbound inspection cert

jdelio — Wed, 24 Jun 2020 15:08:44 GMT

@BPry

Thanks for chiming In.. yes, when you are doing Inbound SSL decryption, the cert is NOT an CA..

Re: SSL inbound inspection cert

raji_toor — Wed, 24 Jun 2020 18:44:19 GMT

@BPry and @jdelio Thanks for inputs. I had my head stuck with the way we did outbound decryption which was incorrect for inbound inspection.

And just FYI the links shared earlier, i don't have access to them.

I used the wildcard cert now that we also use for GlobalProtect, but the first attempts are failing. I have opened a new discussion for that.

Re: SSL inbound inspection cert

jdelio — Thu, 25 Jun 2020 14:57:49 GMT

@raji_toor You do not have access to those articles? Do you get an error? everyone should have access to those.

Re: SSL inbound inspection cert

raji_toor — Thu, 25 Jun 2020 15:40:04 GMT

@jdelio This is what i get on clicking the links

Re: SSL inbound inspection cert

jdelio — Thu, 25 Jun 2020 20:05:07 GMT

That is not right, especially since you are already a customer.

Please allow us to investigate why this is happening.