This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Cert key import

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cert key import

jdprovine
L4 Transporter

‎03-27-2017 11:54 AM

What is the best way to import a key for a globalprotect portal? I already have CA installed.

0 Likes Likes
14 REPLIES 14

TranceforLife
L6 Presenter

‎03-27-2017 01:10 PM - edited ‎03-27-2017 01:33 PM

Hi,

 

Just did recently. I used COMODO (think it is 4-5 £ per year). So generated CSR, sent to comodo. Received back signed cert (did only DV check) imported the cert to the firewall as well as the private key (i used .txt file). Private key will be encrypted l think by Master Key on PA. Created an SSL Profile and used with GP configuration.

0 Likes Likes

jdprovine
L4 Transporter
In response to TranceforLife

‎03-27-2017 01:38 PM

yeah I believe I only need to add the key  not the cert. 

0 Likes Likes

gwesson
L7 Applicator
In response to jdprovine

‎03-27-2017 01:48 PM

When using a public CA, the chain is vitally important to get right. It can be done wrong, and cause some issues. Here's a doc I wrote a few years that goes into the details:

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed...

jdprovine
L4 Transporter
In response to gwesson

‎03-27-2017 01:55 PM

I am using a internal CA , we have our own CA server setup in our networkl I created the key on it

0 Likes Likes

jdprovine
L4 Transporter
In response to jdprovine

‎03-29-2017 09:38 AM

so do i choose import and then browse to the key or do I need to chain it to the CA that is already installed on the PA

0 Likes Likes

TranceforLife
L6 Presenter
In response to jdprovine

‎03-29-2017 09:54 AM

So l had a .crt certificate  + .txt private key. Imported both and everything works as it should 

0 Likes Likes

jdprovine
L4 Transporter
In response to TranceforLife

‎03-29-2017 12:50 PM

There is already an existing .crt on the box I just need to add the key but I am not sure what the right procedure is

0 Likes Likes

TranceforLife
L6 Presenter
In response to jdprovine

‎03-29-2017 02:02 PM

As far as l know you should have your private key as a separate file and while importing the certificate into the box use the option to add a private key as below:

 

TEST.PNG

 

When you finish you should see cert with private key uploaded and ready to be used:

 

CERT.PNG

 

If you uploaded the cert without the key l don't think you can use it as you will not be able to decrypt the data. 

Re-upload the cert same time importing the private key.

0 Likes Likes

jdprovine
L4 Transporter
In response to TranceforLife

‎03-29-2017 02:09 PM

Okay that makes sense and thanks for the screen shots. So are you basically chain it to the existing cert?

0 Likes Likes

TranceforLife
L6 Presenter
In response to jdprovine

‎03-29-2017 02:37 PM

l don't really know what exactly is happening behind the scenes but to me you uploading a digital certificate (its signed by trusted authority as well as contains a public key):

 

CERCER.PNG

 

When SSL handshake is completed, the client will encrypt the data with the Public Key taken from the cert. For you to be able to decrypt you need to have a private key. Is it chained with cert when you uploading or not I am not sure and don't know much about the certs format. Sorry

0 Likes Likes

bradk14
L4 Transporter
In response to TranceforLife

‎03-29-2017 05:03 PM

if I am understanding everything correctly, if you've already generated the CSR on the PA and thus it already has the private key installed, then yes, just import the public key from the CA. The PA should marry the two automatically.

 

--
CCNA Security, PCNSE7
0 Likes Likes

jdprovine
L4 Transporter
In response to bradk14

‎03-30-2017 06:10 AM

I have my own trusted root CA server and can generate my own certs and keys. Currently it has a the trusted root CA certificate installed and I want to add another key for another global protect portal on the  PA and would like to add a cert and key to it.

 

0 Likes Likes

bradk14
L4 Transporter
In response to jdprovine

‎03-30-2017 07:49 AM

so then generate a new certificate, making sure you don't check the CA button to create and export the CSR, run the CSR through your enterprise CA and then import the resulting public key.

 

https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Generate-a-CSR-Certificate-Signing-Req...

--
CCNA Security, PCNSE7
0 Likes Likes

jdprovine
L4 Transporter
In response to bradk14

‎03-31-2017 09:30 AM

can I add a key to an existing csr since we have global one?

0 Likes Likes
  • 3724 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks