How to Generate New MineMeld HTTPS Cert

Printer Friendly Page

If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.

 

Start Inside WebGUI 

Steps:

  1. Go to your Palo Alto Network Firewall or Panorama WebGUI
  2. Device > Certificate Management > Certificate
  3. At the bottom of the screen, click Generate, to create a new certificate. Ensure that it is signed by the firewall by clicking "Certificate Authority".
  4. Export the pem file with the private key by clicking the certificate you want to export and clicking Export at the bottom of the screen. Then use "Base64 Encoded Certificate (PEM)" and also select "Export private key" and click OK.

Now to the CLI

Steps:

  1. Now copy the cert to minemeld with the command:
    > scp cert_minemeld.pem ubuntu@minemeld
  2. Now, log into MineMeld via ssh with the command:
     ssh ubuntu@minemeld
  3. Now backup the current certificates in case you need to revert back to them if something goes wrong
    [minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/ngnix/minemeld.cer-orig
    [minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/ngnix/minemeld.pem-orig
  4. The pem file that you generated will have both the private and public key so you need to split the two. This is how I did it, you may have a better way.  The file is readable so you can copy and paste the sections into two different files or use the CLI commands:
    [minemeld ~]$ cat cert_minemeld.pem | awk 'split_after==1{n++;split_after=0} /----
    -END CERTIFICATE-----/ {split_after=1} {print > "minemeld" n ".cer"}'
    [minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
    [minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out -out /etc/ngnix/minemeld/minemeld.pem
    [minemeld ~]$ sudo service nginx restart
  5. Now restart the browser session and you should not receive an untrusted error, if the root CA that signed the certificate is installed correctly on your machine.
Tags (5)
Comments

 

Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others.

While I want (and with Rome [8.0] I have) to use a trusted certificate with the nginx webserver (on the minemeld box), I want additional DNS entries and an IP address in the subject - for convenience and to fulfill some dependencies of Rome. Think about CNAME and "domain search". Don't you want to use "https://minemeld" instead of "https://minemeld.servers.yourdomain.local" and have a valid connection with a valid certificate?

 

I use to answer cert-requests via the web-GUI on my AD server (https://my-server.mydomain.local/certsrv). But setting up the server is a completely other beast!

 

 

Your Windows CA server (2012 in my case) has to support alternative DNS-entries. Prepare your Windows Authority to support certificates with alternative names:

 
On your Windows Domain and Certificate Server login as Administrator, open a cmd window and paste the following:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Restart your Certificate Authority. In services restart "Active Directory Certificate Services”.
 
Now you have to create a Private Key and a Certificate Signing Request (CSR) on your minemeld box, then sign the request in your windows CA (via web-gui), copy the sigend certificate to your minemeld box, create a .pem file on the minemeld box and finally copy the .cer and .pem to the right location. I will go through it step by step (it's up to you transfering files to or from your minemeld server, but I recommend using 'scp' or other tools like putty, SecureCrt or others).
 
Create a Certificate Signing Request:
Become root on your minemeld server after login as ubuntu:
$ su -
or $ sudo bash
Create a private key:
# openssl genrsa -aes256 -out minemeld.key 2048
- Enter your passphrase
Create a CSR (certificate signing request) - of course you will replace the values with your own:
# openssl req -new -key minemeld.key -sha256 -nodes -subj '/C=DE/ST=NRW/L=Duesseldorf/O=Klauzi Private/OU=Admin Team/CN=minemeld.servers.klauzi.local/emailAddress=admin@klauzi.local' > minemeld.csr
- Enter your pass phrase for the private key (minemeld.key)
# cat minemeld.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC6zCCAdMCAQAwgaUxCzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNV
BAcMB0hvZXh0ZXIxFjAUBgNVBAoMDUtsYXVzIFByaXZhdGUxEzARBgNVBAsMCkFk
bWluIFRlYW0xJjAkBgNVBAMMHW1pbmVtZWxkLnNlcnZlcnMua2xhdXppLmxvY2Fs
MSEwHwYJKoZIhvcNAQkBFhJhZG1pbkBrbGF1emkubG9jYWwwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCsY+cka1aODaNJIZ9ft4DcGUZCQXQjXdG9U+C2
pisXaXHdYHkdpmOSWqWmxIAlIIDjVITjvnviO/g7yEIaY6HR4EBdFKcZU7Tqh0Ze
ojFoCiZVy+MQiXFfxhM1GhIeN4mIm1CxNig5aKkj5uitmyqtb/bMK1QDCxA5kUUG
/PLV1okaMCB8hboV4q/4UrjO99OkFEdWGn7z1p+GJ5G7Tkpp2ml4Rw6ltT4iCmrZ
0nLFz7fGaFNz8fCZ4/NMVkiJxqaJfjrBtHnnpBXXpx5BYhBXOgUOGzIh/D9Dpfol
BW1I3yfNuN1vwnSq+AfFgixf2mYdzTUHsCtMk++9v3kUKeCzAgMBAAGgADANBgkq
hkiG9w0BAQsFAAOCAQEAZWkORNHiNu7rkQ/tJ6yvbsZ5f6lom360KuT1IgZoKgcq
ibkumHeB/t4AWMSqMiAxELkPXVzmLcs1dPoUQp72iacCCRoE8Ch/XjXXF0bOM0Pg
zn8CM1zAESuv7Iny7X/3gPcfBrPB1pJkn1VSa7Zxl0egQbCmLxbYqRcTxY9oJjjt
mlB/u7iHPSP1Vpnr8wMOhOrRlJ2tKz9dDiMn1cxbz7CABmon/4Ocl+IDO1bb6x3B
9cYL7gty1WOe/hI9V/SIG1HDfqyFc31HPHcoUh+KzUoRGMuaCYHrqSAxTgre95XY
NKjgCBKgaQIl5NT4UWVHup+wr0yH5Z4C0H13Go5geA==
-----END CERTIFICATE REQUEST-----
 
You will have to copy the whole output of the "cat" command to paste it into the windows certificate signing request dialog.
 
Sign your CSR:
Open your CA webgui: https://your-ad-server/certsrv, <click> on "Request a certificate", <click> on "advanced certificate request". 
Paste your output from above in the edit box "Saved request", chose "Web Server" as template and edit "Attributes". The string in the "Attributes: edit window" has to be something like: san:parameter=value&parameter=value&parameter=value
san:ipaddress=192.168.5.20&dns=192.168.5.20&dns=minemeld.klauzi.local&dns=minemeld

private-CA.png

 

Submit and chose "(x) Base 64 encoded" in the next screen before "Download certificate". Save it as minemeld.cer"

 

Install your certificate on your minemeld box:

Copy the file "minemeld.cer" to your minemeld box via "scp" (or other tool) to your ubuntu account:

 

$ scp minemeld.cer ubuntu@<ip.add.re.ss>:

 

On your minemeld box you should now have three minemeld.* files:

- minemeld.key

- minemeld.csr

- minemeld.cer

 

Next steps are creating a .pem file and copy the files to the nginx config directory and restart the server:

 

Create .pem file:
# openssl rsa -in minemeld.cer -in minemeld.key -out minemeld.pem - Enter your pass phrase
Backup your files:
# cp /etc/ngnix/minemeld.cer /etc/nginx/minemeld.cer.orig
# cp /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.orig
Copy the new files to "/etc/nginx/": # cp minemeld.pem minemeld.cer /etc/nginx/ Restart nginx server: # /etc/init.d/nginx restart

That should make it!

 

Hi @Angelo, you have a small typo in the second path for nginx:

 

[minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/ngnix/minemeld.cer-orig
[minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/ngnix/minemeld.pem-orig

 

Should instead be:

 

[minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig
[minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/nginx/minemeld.pem-orig

Thank you for this post.

I didn't really see the need for transfering the pem/pfx over scp.

 

1) My base64 private key was encrypted (I generated it from a Palo Alto Firewall). Use the command below to decrypt it:

openssl rsa -in ssl.key.secure -out ssl.key

2) Copy then edit existing certificate and private over SSH using VIM or nano.

sudo vim minemeld.pem

3) Restart Nginx:

sudo /etc/init.d/nginx restart

Please capture example certificate & certificate profile configuration

@iThreatHunt: Could you, please, elaborate a bit more your question? Are you looking for a step-by-step guide on how to use PANOS/Panorama as a PKI to generate certificates?

@xhoms
 

My Palo cannot access to Minemeld. It show URL access error. I think that the certificate may be wrong and No log in access.log (Minemeld)

@iThreatHunt : Would you, please, take a look at the "Step 5" in the article Using MineMeld to generate IP lists from wildcards . I captured some screenshots of that process.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
11 of 11
Last update:
‎12-06-2016 06:53 PM
Updated by: