Using Native Microsoft Tools to Request Certificates for Palo Alto Networks Firewalls

Microsoft provides a tool, certreq.exe, with its certificate server, to create and submit certificate signing requests (CSR) to a Microsoft certificate server. These tools can be used in place of openssl for environments that use a Microsoft CA. The commands can be used from any domain member system.

1. Certreq requires an .inf file to provide certificate information. Use Notepad to modify the following sample INF file according to your needs. Save the file as ssl.inf, for example:

   [Version]

   Signature="$Windows NT$"

   [NewRequest]

   Subject = "CN=your.server.name" ; For a wildcard use "CN=*.DOMAIN.COM" for example

   ; For an empty subject use the following line instead or remove the Subject line entierely

   ; Subject =

   Exportable = TRUE     ; Private key is exportable!

   KeyLength = 2048      ; Common key sizes: 512, 1024, 2048,

   4096, 8192, 16384

   KeySpec = 1           ; AT_KEYEXCHANGE

   KeyUsage = 0xA0       ; Digital Signature, Key Encipherment

   MachineKeySet = True  ; The key belongs to the local computer account

   ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

   ProviderType = 12

   SMIME = FALSE

   RequestType = CMC

    

   ; At least certreq.exe shipping with Windows Vista/Server 2008 is required to

   interpret the [Strings] and [Extensions] sections below

    

   [Strings]

   szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"

   szOID_ENHANCED_KEY_USAGE = "2.5.29.37"

   szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"

   szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

    

   [Extensions]

   %szOID_SUBJECT_ALT_NAME2% = "{text}dns=your.computer.name " %szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

    

   [RequestAttributes]

   CertificateTemplate= WebServer ; or =SubCA for SSL-D or CA certificates

   Notes:

   • You can click “OK” for the template not found UI from certreq if the client has no access to templates.
   • You can ignore the unreferenced “[Strings]” section dialog when it appears.
2. Compile the INF file into a REQ file.

   The following command‐line command generates key material and turns the INF file into a certificate request.

   certreq –new ssl.inf ssl.req

   After the certificate request is created, you can verify the request with the following command:

   certutil ssl.req

3. Submit the REQ file to the CA.

   If the CA is reachable via RPC over the network, use the following command to submit the certificate request to the CA:

   certreq –submit ssl.req

   You'lll get a selection dialog from which to select the CA. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately. You'll be prompted to download the file and name it. In this example, we'll name it ssl.cer

   If RPC traffic is not allowed between the computer where the certificate request was created and the CA, transfer the certificate request to the CA and perform the above command locally at the CA.

4. Install the certificate in the local browser.

   After the certificate is issued and available as a file, use the following command to install it.

   certreq –accept ssl.cer

   The installation actually puts the certificate into the computer’s personal store, links it with the key material created in Step 1 and builds the certificate property. The certificate property stores information, such as the friendly name, which is not part of a certificate.

    

   After performing Steps 1 to 4, the certificate shows up in the IE certificates interface and can be exported in PKCS 12 format for import into the firewall.

owner: npiagentini