Can not check Forward Trust Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Can not check Forward Trust Certificate

L2 Linker

Hello. 

I'm having an issue with a setup of decryption.

 

we have a custoemr who wants decryption. and they also have an entreprise CA. 
to have the least user impact they wanted to use an entreprise signed certificate for their ssl forward trust. 

I created a certificate as explained on palo alto resources

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/decryption/configure-ssl-forward-proxy

 

so far so good. 
I sent the csr to our customer. 

when I got it back( .cer) file I got an issue because it was not base 64 encoded. but could resolve it via this link:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGSCA0

 

 

afterwards I managed to get the certificate uploaded. 

however:

for the certificate the "key" checkbox is checked, but the "ca" checkbox is not. --> despite PA resources telling me it should be checked after the import(see first link step 3.4.d

when opening the certificate all options( ssl forward trust, untrust, etc are greyed out. the only option I can select is "certificate for secure syslog"

 

I'm starting to think the issue lies with the entreprise CA. or how teh certificate was signed. but wanted to make sure. perhaps someone on this forum knows more? 


1 accepted solution

Accepted Solutions

L7 Applicator

The enterprise CA that signed the CSR failed to ensure it is a actually a CA cert, sometimes known as a Signing cert or Delegation cert. It's not very obvious in that document, so it can be missed.

 

When you send the CSR to the enterprise CA, they must make it a signing/delegation/ca certificate or it cannot be used to sign the on-the-fly certificates the firewall generates when doing decryption. Without that, it is just a normal server certificate.

 

You don't have to go through the whole process again, you can just have the CA re-sign the CSR you gave, ensuring it is a CA cert as well.

View solution in original post

2 REPLIES 2

L7 Applicator

The enterprise CA that signed the CSR failed to ensure it is a actually a CA cert, sometimes known as a Signing cert or Delegation cert. It's not very obvious in that document, so it can be missed.

 

When you send the CSR to the enterprise CA, they must make it a signing/delegation/ca certificate or it cannot be used to sign the on-the-fly certificates the firewall generates when doing decryption. Without that, it is just a normal server certificate.

 

You don't have to go through the whole process again, you can just have the CA re-sign the CSR you gave, ensuring it is a CA cert as well.

L0 Member

Try using Subordinate Certification Authority Template.
Do not forget to Import the Root CA.

  • 1 accepted solution
  • 11732 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!