Intermediate certs for SSL-VPN portal

Reply
Highlighted
L1 Bithead

Intermediate certs for SSL-VPN portal

Hi!

I am using a DigiCert certificate for the SSL VPN portal and the management interface, and it all works well with most browsers. However the certification chain requires an intermediate CA to be trusted/sent as well, and I haven't managed to get that to work on the PAN-box.

It's not a big issue as most browsers seem to be able to resolve the chain by themselves, but for example Firefox on linux and the iPad are unable to verify the chain.

I have added the intermediate certificate required as a trusted CA but that didn't seem to help.

Any suggestions or tips are greately appreciated.

Thanks, Tom

L6 Presenter

Re: Intermediate certs for SSL-VPN portal

What version of Firefox is running on the Linux and iPad devices?

L1 Bithead

Re: Intermediate certs for SSL-VPN portal

Hi.

I have the same problem with Digi intermediate certificate.

Did you fine any solution to this problem ?

Thanks, Roger

L0 Member

Re: Intermediate certs for SSL-VPN portal

I didn't notice either however I am having the same issue with my digicert certificates not being trusted on my iOS devices served up via either the Palo Alto or a set of Juniper SA's we have when connecting using safari or the Junos Pulse client. I believe this might be an iOS cert store issue.

L1 Bithead

Re: Intermediate certs for SSL-VPN portal

Have you found a resolution to this issue? I am experiencing the same problem.

L4 Transporter

Re: Intermediate certs for SSL-VPN portal

Hello,

Problem happens because PAN OS doesn't always import intermediate certificate (I don't know why). The fix is to edit the XML configuration file to add the intermediate certifcate, then upload back to your box and commit.

Many browsers don't complain about missing intermediate cert, because many of them embed widepsread vendors in additions of root CAs (which is a pure security mess of course).

L4 Transporter

Re: Intermediate certs for SSL-VPN portal

Here is an extract from XML which is missing intermediate:

<entry name="Mgmt and Portal">       

<common-name>xxxxxxxxxxxxxxxxx</common-name>       

<ca>no</ca>        <expires>Sep 2 2014</expires>      

<expiry-epoch>1409649540</expiry-epoch>   

<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53

friendlyName: xxxxxxxxxx

subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ

BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N

JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT

......

-----END CERTIFICATE-----

</public-key>

The fix consist to insert intermediate certificate in addition of existing one inside <public-key> statement:

<entry name="Mgmt and Portal">      

<common-name>xxxxxxxxxxxxxxxxx</common-name>      

<ca>no</ca>        <expires>Sep 2 2014</expires>     

<expiry-epoch>1409649540</expiry-epoch>   

<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53

friendlyName: xxxxxxxxxx

subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ

BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N

JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT

......

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----aEd5y3GY3i4aWL/LKXe70PBADPZjnDvnJ5e6QhK94uIQdBh9kC26vy89SYsO+XbGOjnZN0QvyvCia

U80x2DrJvbMgKego/ZHQ6B45YckeyZ97YtRd30TZI/eDfCtgtrPbm4RLCYjqPESfnx1xyQnbMyqQ7q

FzGetu6ouKSllYycKyErYJbAoVYpozGx59i0gYTVCJluKcx3POnozvw7ZPUzJMgBMRJdS3Va8WW

kLcHynh1rlcHwWPK022ouJFrMHEQ.........

-----END CERTIFICATE-----

</public-key>

Import back your XML file, commit and enjoy. Be aware that you will need to restart your appliance dataplane or even reboot, because PAN OS doesn't detect that there was a real change inside the public certificate chain (another bug ?), so it won't reload it during commit.

L1 Bithead

Re: Intermediate certs for SSL-VPN portal

I do not see the XML inside my configuration file that you are referencing.  I'm on PAN-OS 3.1.9, are you running something else?  The Certificates are referenced in my configuration file in the Captive Portal and SSL-VPN sections, but the actual certificates are not in this file.

L4 Transporter

Re: Intermediate certs for SSL-VPN portal

I am using 4.0+ software only. No idea where are stored certificates on 3.x but it looks like it shares same bug.

L3 Networker

Re: Intermediate certs for SSL-VPN portal

SSL certificates were not included in the config XML file until 4.0.

Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!