This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

intermediate certificates

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

intermediate certificates

smledv
L0 Member

‎07-25-2024 06:17 AM

Hello everyone,

 

Is there a solution other than manually importing intermediate certificates into the Palo Alto Firewall (PAN-OS10.2.9-h1)?

Since there are weekly a few websites with this problem popping up.

 

I already know the import procedure that is described in the knowledge base.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC

 

for example:

www.deepl.com

https://www.i-doit.com/

www.fabrilscavone.com.br

(Deepl.com on Second DNS IP)

 

Thanks in advance

 

0 Likes Likes
1 REPLY 1

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎08-21-2024 07:41 AM

Hi @smledv ,

As described here - Repair Incomplete Certificate Chains (paloaltonetworks.com) the RFC standard requires the server to send the full chain of trust. Unfortunately it is very common to not follow the RFC, which prevent the firewall to verify the root CA.

 

So in one perfect world we should expect server administrators to fix their servers instead of importing intermediate certificates to the network devices/firewalls.

 

I know the reality is far for that...Unfortunately I am not aware of any automated solution that could solve this.

If you are not afraid to get your hands dirty with scripting, you may be able to achieve something with the steps described in the above link and some XML API calls to the firewall.

 

The problem I am having with such automated approach is the lack of review from the administrator. I would personally prefer person to review the blocked page and verify if the intermediate certificate needs to be imported, or user is trying to access something that is potentially dangerous.

0 Likes Likes
  • 661 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks