Using Native Microsoft Tools to Request Certificates for Palo Alto Networks Firewalls
Resolution
Microsoft provides a tool, certreq.exe, with its certificate server, to create and submit certificate signing requests (CSR) to a Microsoft certificate server. These tools can be used in place of openssl for environments that use a Microsoft CA. The commands can be used from any domain member system.
- Certreq requires an .inf file to provide certificate information. Use Notepad to modify the following sample INF file according to your needs. Save the file as ssl.inf, for example:
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=your.server.name" ; For a wildcard use "CN=*.DOMAIN.COM" for example
; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =
Exportable = TRUE ; Private key is exportable!
KeyLength = 2048 ; Common key sizes: 512, 1024, 2048,
4096, 8192, 16384
KeySpec = 1 ; AT_KEYEXCHANGE
KeyUsage = 0xA0 ; Digital Signature, Key Encipherment
MachineKeySet = True ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC
; At least certreq.exe shipping with Windows Vista/Server 2008 is required to
interpret the [Strings] and [Extensions] sections below
[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"
[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=your.computer.name " %szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"
[RequestAttributes]
CertificateTemplate= WebServer ; or =SubCA for SSL-D or CA certificates
Notes:
- You can click “OK” for the template not found UI from certreq if the client has no access to templates.
- You can ignore the unreferenced “[Strings]” section dialog when it appears.
- Compile the INF file into a REQ file.
The following command‐line command generates key material and turns the INF file into a certificate request.
certreq –new ssl.inf ssl.req
After the certificate request is created, you can verify the request with the following command:
certutil ssl.req
- Submit the REQ file to the CA.
If the CA is reachable via RPC over the network, use the following command to submit the certificate request to the CA:
certreq –submit ssl.req
You'lll get a selection dialog from which to select the CA. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately. You'll be prompted to download the file and name it. In this example, we'll name it ssl.cer
If RPC traffic is not allowed between the computer where the certificate request was created and the CA, transfer the certificate request to the CA and perform the above command locally at the CA.
- Install the certificate in the local browser.
After the certificate is issued and available as a file, use the following command to install it.
certreq –accept ssl.cer
The installation actually puts the certificate into the computer’s personal store, links it with the key material created in Step 1 and builds the certificate property. The certificate property stores information, such as the friendly name, which is not part of a certificate.
After performing Steps 1 to 4, the certificate shows up in the IE certificates interface and can be exported in PKCS 12 format for import into the firewall.
owner: npiagentini