Certificate for Secure Web GUI creation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Certificate for Secure Web GUI creation

L2 Linker

Hello

Which attributes shall an external CA certificate have to be accepted as a Secure Web GUI Certificate?

I have imported one, but SSL Management doesn't work with it. These are its attributes:

   Version: 3 (0x2)
        Serial Number:
            15:28:3b:46:00:00:00:02:38:da
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=int, DC=company, CN=company
        Validity
            Not Before: Feb 20 17:16:16 2013 GMT
            Not After : Feb 18 17:16:16 2021 GMT
        Subject: C=es, ST=ada, L=ada, O=., OU=Sistemas de Informaci\xC3\xB3n, CN=pa-intx.company.int
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:a8:03:53:ba:6c:cf:63:fe:1e:b3:90:47:b1:32:
                    00:f6:7b:f3:28:40:10:81:50:b2:6f:ea:97:e4:ec:
                    7f:1b:9b:d3:30:d5:e8:fe:3e:d1:6d:ca:04:31:47:
                    d3:2c:fe:30:97:54:dd:ee:79:b8:55:d1:74:cc:ef:
                    38:7b:80:b9:c0:f5:0c:a4:f5:0c:09:2a:ce:70:3f:
                    0e:b9:b8:4b:f7:5d:4f:c6:e4:80:2c:e8:cd:7e:c5:
                    ae:25:51:0f:34:81:26:43:82:1f:61:7f:8a:a7:d6:
                    e4:fb:88:3a:34:3f:52:93:f7:2d:c6:b4:ca:09:ac:
                    6a:1a:d0:f9:bb:4f:92:6b:21:e3:99:a4:26:a1:da:
                    8a:dd:71:10:ee:6c:86:b1:3b:b4:b5:3a:27:63:ce:
                    0b:0d:5c:ef:80:22:60:cd:0e:56:5d:7b:79:1e:01:
                    25:1b:ba:a2:90:27:8f:55:18:a2:ca:c0:9c:a0:b0:
                    7f:85:7f:27:ff:4c:d4:39:65:2b:11:d2:b9:fe:aa:
                    4f:10:9f:96:73:29:73:28:91:b0:49:19:f2:33:f1:
                    77:bc:1b:64:37:ce:18:b9:62:2f:37:b2:4e:91:47:
                    9a:3e:8e:de:b3:c3:13:e2:42:80:92:3b:1b:99:5f:
                    00:89:56:91:94:bb:0f:86:fd:9a:0d:d2:d8:bb:14:
                    d3:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B9:3D:01:81:2B:13:00:A3:B7:7A:59:B1:46:C6:33:9E:34:B0:7D:B4
            X509v3 Authority Key Identifier:
                keyid:09:9A:47:A9:5C:87:E0:B3:41:04:3F:55:21:24:06:1C:A0:EC:3C:BC

            X509v3 CRL Distribution Points:
                URI:ldap:///CN=company,CN=escullos01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint
                URI:http://escullos01.company.int/CertEnroll/company.crl

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=company,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company,DC=int?cACertificate?base?objectClass=certificationAuthority
                CA Issuers - URI:http://escullos01.company.int/CertEnroll/escullos01.company.int_company.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            1.3.6.1.4.1.311.21.7:
                0..&+.....7.....<...1...$.......|./..d...<..d...
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            1.3.6.1.4.1.311.21.10:
                0.0

These are the ones from de Internal Palo Alto Certificate:

[redes@gollum Certificados]$ openssl x509 -in Cert_Interno_Pa_Intx.cer -text -noout

Certificate:

    Data:

        Version: 1 (0x0)

        Serial Number:

            d9:4d:91:9b:17:e4:0c:4c

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=US, ST=CA, L=Sunnyvale, O=Palo Alto Networks, OU=Support, CN=localhost/emailAddress=support@paloaltonetworks.com

        Validity

            Not Before: Jul 12 22:18:24 2010 GMT

            Not After : Jul 11 22:18:24 2020 GMT

        Subject: C=US, ST=CA, L=Sunnyvale, O=Palo Alto Networks, OU=Support, CN=localhost/emailAddress=support@paloaltonetworks.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (1024 bit)

                Modulus (1024 bit):

                    00:b7:5c:d2:e2:08:9d:de:8f:4f:7f:a5:d5:99:34:

                    ed:4a:7e:39:f5:88:1b:19:33:e8:2b:cb:4d:cd:e3:

                    62:b8:78:8f:c7:1a:76:23:81:5b:09:7a:90:5a:d4:

                    8f:43:07:9e:47:5b:4d:35:13:68:ae:f3:cd:47:5b:

                    9b:dc:78:a1:cb:49:cf:27:27:1b:fa:21:50:54:5c:

                    94:7a:5f:42:2b:2c:2c:51:7f:6e:9a:de:89:c0:3c:

                    29:1d:2c:34:05:a4:68:85:56:42:79:e2:db:31:f1:

                    6d:25:84:5b:d1:de:4a:f9:aa:8d:8d:00:e3:9f:b5:

                    c3:73:38:1a:f7:a6:91:69:d1

                Exponent: 65537 (0x10001)

    Signature Algorithm: sha1WithRSAEncryption

        1a:a3:44:23:8b:01:cb:44:fd:68:41:3a:70:67:bf:03:09:40:

        19:c7:9d:06:f8:b9:2b:93:b7:91:f3:da:7e:eb:9e:7a:ca:59:

        dc:ea:57:35:c1:5b:d4:f6:de:88:06:3a:27:7f:d9:c0:ec:da:

        bd:01:b9:95:4e:76:2c:2b:cd:be:d0:bc:fa:85:9c:95:d8:6f:

        74:e8:7e:3b:9e:58:b1:4b:9e:45:36:21:cc:35:8a:a0:2b:46:

        28:a1:f5:52:c1:f0:cd:cd:07:0e:7d:b4:03:bc:54:e2:26:a6:

        5f:ca:3a:88:3e:dc:a7:97:13:9a:24:68:a0:4a:a2:24:27:3d:

        0b:df

2 REPLIES 2

L7 Applicator

Two questions:

1. Was the private key imported with the certificate?

2. If yes, what is the error message (if any) that you receive when trying to select that certificate as the Web GUI Certificate?

I also noticed that you have an accent in the OU field "Informaci\xC3\xB3n". While that should work, you may want to try regenerating it without the accent mark over the o.

As long as the certificate has the private key, you should be able to use it. It does not need to be a CA certificate.

Hope this helps!

Greg

1.- Yes, the private key s included

2 .- There's no error. The GUI does not respond after applying the Commit, though telnet to 443 por is answering.


  • 2705 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!