- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
on 08-17-2016 11:59 AM - edited on 01-26-2021 01:15 PM by jdelio
If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.
Steps:
Steps:
> scp cert_minemeld.pem ubuntu@<minemeldIP>
ssh ubuntu@<minemeldIP>
[minemeld ~]$ cat cert_minemeld.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/
{split_after=1} {print > "minemeld" n ".cer"}' [minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
[minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out -out /etc/nginx/minemeld.pem
[minemeld ~]$ sudo service nginx restart
Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others.
While I want (and with Rome [8.0] I have) to use a trusted certificate with the nginx webserver (on the minemeld box), I want additional DNS entries and an IP address in the subject - for convenience and to fulfill some dependencies of Rome. Think about CNAME and "domain search". Don't you want to use "https://minemeld" instead of "https://minemeld.servers.yourdomain.local" and have a valid connection with a valid certificate?
I use to answer cert-requests via the web-GUI on my AD server (https://my-server.mydomain.local/certsrv). But setting up the server is a completely other beast!
Your Windows CA server (2012 in my case) has to support alternative DNS-entries. Prepare your Windows Authority to support certificates with alternative names:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
$ su -Create a private key:
or $ sudo bash
# openssl genrsa -aes256 -out minemeld.key 2048 - Enter your passphraseCreate a CSR (certificate signing request) - of course you will replace the values with your own:
# openssl req -new -key minemeld.key -sha256 -nodes -subj '/C=DE/ST=NRW/L=Duesseldorf/O=Klauzi Private/OU=Admin Team/CN=minemeld.servers.klauzi.local/emailAddress=admin@klauzi.local' > minemeld.csr - Enter your pass phrase for the private key (minemeld.key) # cat minemeld.csr -----BEGIN CERTIFICATE REQUEST----- MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNV BAcMB0hvZXh0ZXIxFjAUBgNVBAoMDUtsYXVzIFByaXZhdGUxEzARBgNVBAsMCkFk bWluIFRlYW0xJjAkBgNVBAMMHW1pbmVtZWxkLnNlcnZlcnMua2xhdXppLmxvY2Fs MSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBrbGF1emkubG9jYWwwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCsY+cka1aODaNJIZ9ft4DcGUZCQXQjXdG9U+C2 pisXaXHdYHkdpmOSWqWmxIAlIIDjVITjvnviO/g7yEIaY6HR4EBdFKcZU7Tqh0Ze ojFoCiZVy+MQiXFfxhM1GhIeN4mIm1CxNig5aKkj5uitmyqtb/bMK1QDCxA5kUUG /PLV1okaMCB8hboV4q/4UrjO99OkFEdWGn7z1p+GJ5G7Tkpp2ml4Rw6ltT4iCmrZ 0nLFz7fGaFNz8fCZ4/NMVkiJxqaJfjrBtHnnpBXXpx5BYhBXOgUOGzIh/D9Dpfol BW1I3yfNuN1vwnSq+AfFgixf2mYdzTUHsCtMk++9v3kUKeCzAgMBAAGgADANBgkq hkiG9w0BAQsFAAOCAQEAZWkORNHiNu7rkQ/tJ6yvbsZ5f6lom360KuT1IgZoKgcq ibkumHeB/t4AWMSqMiAxELkPXVzmLcs1dPoUQp72iacCCRoE8Ch/XjXXF0bOM0Pg zn8CM1zAESuv7Iny7X/3gPcfBrPB1pJkn1VSa7Zxl0egQbCmLxbYqRcTxY9oJjjt mlB/u7iHPSP1Vpnr8wMOhOrRlJ2tKz9dDiMn1cxbz7CABmon/4Ocl+IDO1bb6x3B 9cYL7gty1WOe/hI9V/SIG1HDfqyFc31HPHcoUh+KzUoRGMuaCYHrqSAxTgre95XY NKjgCBKgaQIl5NT4UWVHup+wr0yH5Z4C0H13Go5geA== -----END CERTIFICATE REQUEST-----
san:ipaddress=192.168.5.20&dns=192.168.5.20&dns=minemeld.klauzi.local&dns=minemeld
Submit and chose "(x) Base 64 encoded" in the next screen before "Download certificate". Save it as minemeld.cer"
Install your certificate on your minemeld box:
Copy the file "minemeld.cer" to your minemeld box via "scp" (or other tool) to your ubuntu account:
$ scp minemeld.cer ubuntu@<ip.add.re.ss>:
On your minemeld box you should now have three minemeld.* files:
- minemeld.key
- minemeld.csr
- minemeld.cer
Next steps are creating a .pem file and copy the files to the nginx config directory and restart the server:
Create .pem file:
# openssl rsa -in minemeld.cer -in minemeld.key -out minemeld.pem - Enter your pass phrase
Backup your files:
# cp /etc/ngnix/minemeld.cer /etc/nginx/minemeld.cer.orig
# cp /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.orig
Copy the new files to "/etc/nginx/": # cp minemeld.pem minemeld.cer /etc/nginx/ Restart nginx server: # /etc/init.d/nginx restart
That should make it!
Hi @Angelo, you have a small typo in the second path for nginx:
[minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/ngnix/minemeld.cer-orig
[minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/ngnix/minemeld.pem-orig
Should instead be:
[minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig
[minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/nginx/minemeld.pem-orig
Thank you for this post.
I didn't really see the need for transfering the pem/pfx over scp.
1) My base64 private key was encrypted (I generated it from a Palo Alto Firewall). Use the command below to decrypt it:
openssl rsa -in ssl.key.secure -out ssl.key
2) Copy then edit existing certificate and private over SSH using VIM or nano.
sudo vim minemeld.pem
3) Restart Nginx:
sudo /etc/init.d/nginx restart
@iThreatHunt: Could you, please, elaborate a bit more your question? Are you looking for a step-by-step guide on how to use PANOS/Panorama as a PKI to generate certificates?
My Palo cannot access to Minemeld. It show URL access error. I think that the certificate may be wrong and No log in access.log (Minemeld)
@iThreatHunt : Would you, please, take a look at the "Step 5" in the article Using MineMeld to generate IP lists from wildcards . I captured some screenshots of that process.
Is it possible to generate a certificate without a passphrase for the minemeld server? The PA cert requires a passphrase, and when I install it on minemeld, nginx comes up and shows the new cert in my browser but still says it's invalid, I think because nginx does not have the passphrase when starting.
I found the answer on Digicert. It's fairly simple one liner to remove the key from the passphrase.
#openssl rsa -in minemeld.key -out minemeldinsecure.key
- Enter your passphrase
It will prompt you for the original passphrase then create the new file without one.