SSL Decryption - Enterprise CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL Decryption - Enterprise CA

L2 Linker

Hi Everyone,

 

Recently a decision was made to implement SSL Decryption for outbound inspection.  We work within a Microsoft PKI environment and are experiencing issues in signing the CSR generated by the firewall.  I create the CSR based on the "how to implement and test ssl decryption" document I found via the Live Community (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption... So, the CSR is designated as a CA and set to Signed by External Authority (CSR).  Unfortunately, each time I receive the certificate, the Forward Trust Certificate is greyed out.  We've tried both - CA box checked and CA box unchecked, the result is the same.  We did find that our SubCA's were under constraints and cannot sign, so we used the Root to perform the signing but the result is the same.

 

Just wondering if anyone has a suggestion or if we need to review and follow the workaround I found here: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-M....

 

thank you,

 

Carter

1 accepted solution

Accepted Solutions

L2 Linker

I don't believe you will have to generate a CSR for this. You can either do a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure).  Steps 1-4 are all done within the Microsoft Certificate Server while steps 5-6 are when you import the certificate into the firewall. Try generating a cert from within your environment and import that generated certificate into the firewall.

 

Generating and Importing a Certificate from Microsoft Certificate Server

  1. On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert.
  2. After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12).
  3. To extract the certificate, use this openSSL[4] command:
    openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys
  4. To extract the key, use this openSSL command:
    openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts
  5. Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen.
  6. In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.

 

 

- Peter

View solution in original post

4 REPLIES 4

L2 Linker

I don't believe you will have to generate a CSR for this. You can either do a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure).  Steps 1-4 are all done within the Microsoft Certificate Server while steps 5-6 are when you import the certificate into the firewall. Try generating a cert from within your environment and import that generated certificate into the firewall.

 

Generating and Importing a Certificate from Microsoft Certificate Server

  1. On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert.
  2. After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12).
  3. To extract the certificate, use this openSSL[4] command:
    openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys
  4. To extract the key, use this openSSL command:
    openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts
  5. Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen.
  6. In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.

 

 

- Peter

 

Thank you for the repsonse Peter, greatly appreciated.  What we ended up doing is what you suggested in your first paragraph, we asked for a certificate to be issued which is a Subordinate CA.  Problem solved.  When I suggested the article "How to Implement Certificates Issued from Microsoft Certificate Services" it was met with hesitation, so haivng a certificate created which is a Subordinate worked out nicely.

 

Cheers,

Carter

Hi Peter, Just going through your solution . So , If I want to use  internal PKI infra , then there is no need to generate CSR on firewall ? 

What do I tell my customer like , to directly provide me the CA certificate ? I mean they dont need my CSR ? Because when I am providing CSR and importing certificate , then that forward trust option is greyed out ...

 

You have many options.

- Generate CA cert on firewall and push it to domain member computers with Group policy

- Import existing CA into firewall and use this

- Use Subordinate CA signed by existing internal CA

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 5936 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!