Intermediate certs for SSL-VPN portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Intermediate certs for SSL-VPN portal

L2 Linker

Hi!

I am using a DigiCert certificate for the SSL VPN portal and the management interface, and it all works well with most browsers. However the certification chain requires an intermediate CA to be trusted/sent as well, and I haven't managed to get that to work on the PAN-box.

It's not a big issue as most browsers seem to be able to resolve the chain by themselves, but for example Firefox on linux and the iPad are unable to verify the chain.

I have added the intermediate certificate required as a trusted CA but that didn't seem to help.

Any suggestions or tips are greately appreciated.

Thanks, Tom

1 accepted solution

Accepted Solutions

L3 Networker

SSL certificates were not included in the config XML file until 4.0.

Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.

View solution in original post

10 REPLIES 10

L6 Presenter

What version of Firefox is running on the Linux and iPad devices?

L1 Bithead

Hi.

I have the same problem with Digi intermediate certificate.

Did you fine any solution to this problem ?

Thanks, Roger

L0 Member

I didn't notice either however I am having the same issue with my digicert certificates not being trusted on my iOS devices served up via either the Palo Alto or a set of Juniper SA's we have when connecting using safari or the Junos Pulse client. I believe this might be an iOS cert store issue.

Have you found a resolution to this issue? I am experiencing the same problem.

Hello,

Problem happens because PAN OS doesn't always import intermediate certificate (I don't know why). The fix is to edit the XML configuration file to add the intermediate certifcate, then upload back to your box and commit.

Many browsers don't complain about missing intermediate cert, because many of them embed widepsread vendors in additions of root CAs (which is a pure security mess of course).

Here is an extract from XML which is missing intermediate:

<entry name="Mgmt and Portal">       

<common-name>xxxxxxxxxxxxxxxxx</common-name>       

<ca>no</ca>        <expires>Sep 2 2014</expires>      

<expiry-epoch>1409649540</expiry-epoch>   

<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53

friendlyName: xxxxxxxxxx

subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ

BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N

JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT

......

-----END CERTIFICATE-----

</public-key>

The fix consist to insert intermediate certificate in addition of existing one inside <public-key> statement:

<entry name="Mgmt and Portal">      

<common-name>xxxxxxxxxxxxxxxxx</common-name>      

<ca>no</ca>        <expires>Sep 2 2014</expires>     

<expiry-epoch>1409649540</expiry-epoch>   

<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53

friendlyName: xxxxxxxxxx

subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ

BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N

JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT

......

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----aEd5y3GY3i4aWL/LKXe70PBADPZjnDvnJ5e6QhK94uIQdBh9kC26vy89SYsO+XbGOjnZN0QvyvCia

U80x2DrJvbMgKego/ZHQ6B45YckeyZ97YtRd30TZI/eDfCtgtrPbm4RLCYjqPESfnx1xyQnbMyqQ7q

FzGetu6ouKSllYycKyErYJbAoVYpozGx59i0gYTVCJluKcx3POnozvw7ZPUzJMgBMRJdS3Va8WW

kLcHynh1rlcHwWPK022ouJFrMHEQ.........

-----END CERTIFICATE-----

</public-key>

Import back your XML file, commit and enjoy. Be aware that you will need to restart your appliance dataplane or even reboot, because PAN OS doesn't detect that there was a real change inside the public certificate chain (another bug ?), so it won't reload it during commit.

I do not see the XML inside my configuration file that you are referencing.  I'm on PAN-OS 3.1.9, are you running something else?  The Certificates are referenced in my configuration file in the Captive Portal and SSL-VPN sections, but the actual certificates are not in this file.

I am using 4.0+ software only. No idea where are stored certificates on 3.x but it looks like it shares same bug.

L3 Networker

SSL certificates were not included in the config XML file until 4.0.

Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.

Thank you, essnet!  Nothing else worked for me, but manually appending the intermediate cert to the primary in XML did the trick!

I also had to reboot the devices for the change to take effect.  I would've thought after 1.5 years that would be fixed.

Thanks again!

  • 1 accepted solution
  • 5430 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!