SSL CSR SAN Multiple Uses

L2 Linker

SSL CSR SAN Multiple Uses

PA-5220, 8.0

 

I need to generate a CSR for a cert that will be used for multiple things - web gui admin, globalprotect vpn, etc. The instructions for how to gen the CSR with subject alternative names are not clear.

 

Should the common name be one of the uses e.g. vpn.mycompany.com or should the common name be *.mycompany.com with all host names listed as attributes e.g. vpn.mycompany.com, webgui.mycompany.com, etc.

 

Tags (3)
L6 Presenter

Re: SSL CSR SAN Multiple Uses

i'm not sure what instructions you were following but it may be a mixture of wildcard/SAN cert..

 

 

CN=vpn.mycompany.com

 

certificate attributes

 

hostname=webgui.mycompamy.com

hostname=vpn2.mycompamy.com

hostname=anyfink.mycompamy.com

 

as per...      https://live.paloaltonetworks.com/t5/Management-Articles/Creating-Certificate-Subject-Alternate-Name...

 

L2 Linker

Re: SSL CSR SAN Multiple Uses

8.0 documentation is where I got confused. See bolded text below. Why would a Host Name attribute match the Common Name?

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/certificate-management/obtain-certif...

 

9. (Optional) Add the Certificate Attributes to uniquely identify the firewall and the service that will use the certificate.

If you add a Host Name attribute, it is a best practice for it to match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.
L6 Presenter

Re: SSL CSR SAN Multiple Uses

I think what its trying to say that if your CN is fred.com and your portal address dns resloves to fred.com then adding joe.com to the SAN will cause a cert issue for GP.

 

so... your get request is for fred.com but the trusted cert will have a hostname of joe.com...

 

in their example you dont need to add a hostname attribute, the SAN of fred.com will be assumed.

 

so... for the case of a single host cert, if you are going to add hostname attribute (not actually required) then keep it the same as the CN.

 

the ref doc link you provided is not really for SAN certs.

 

 

 

 

 

 

 

 

L6 Presenter

Re: SSL CSR SAN Multiple Uses

Hmmm... just re-read my previous post and I obviously have no idea what I'm talking about...

 

i need to re-read the statement "9" note in that document.

 

below... from Palo...

 

If you add a Host Name attribute, it is a best practice for it to match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.

 

perhaps someone else can decypher this....

 

L2 Linker

Re: SSL CSR SAN Multiple Uses

I've got the web gui configured for now. Had to gen a new CSR and make sure to include SANs for web gui, etc. 

 

Next step is to configure GlobalProtect with the cert. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!