How to Generate New MineMeld HTTPS Cert

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead
100% helpful (3/3)

If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.


Start Inside WebGUI 


  1. Go to your Palo Alto Network Firewall or Panorama WebGUI
  2. Device > Certificate Management > Certificate
  3. At the bottom of the screen, click Generate, to create a new certificate. Ensure that it is signed by the firewall by clicking "Certificate Authority".
  4. Export the pem file with the private key by clicking the certificate you want to export and clicking Export at the bottom of the screen. Then use "Base64 Encoded Certificate (PEM)" and also select "Export private key" and click OK.

Now to the CLI


  1. Now copy the cert to minemeld with the command:
    > scp cert_minemeld.pem ubuntu@<minemeldIP>
  2. Now, log into MineMeld via ssh with the command:
     ssh ubuntu@<minemeldIP>
  3. Now backup the current certificates in case you need to revert back to them if something goes wrong
    [minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig
    [minemeld ~]$ sudo mv /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem-orig
  4. The pem file that you generated will have both the private and public key so you need to split the two. This is how I did it, you may have a better way.  The file is readable so you can copy and paste the sections into two different files or use the CLI commands: 
    NOTE: Please note that there might be a error with sudoing the refers to missing entries in the /etc/hosts file, as the hostname is not automatically added to this file
    [minemeld ~]$ cat cert_minemeld.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ 
    {split_after=1} {print > "minemeld" n ".cer"}' [minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer
    [minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out -out /etc/nginx/minemeld.pem
    [minemeld ~]$ sudo service nginx restart
  5. Now restart the browser session and you should not receive an untrusted error, if the root CA that signed the certificate is installed correctly on your machine.
Rate this article:
L3 Networker


Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others.

While I want (and with Rome [8.0] I have) to use a trusted certificate with the nginx webserver (on the minemeld box), I want additional DNS entries and an IP address in the subject - for convenience and to fulfill some dependencies of Rome. Think about CNAME and "domain search". Don't you want to use "https://minemeld" instead of "https://minemeld.servers.yourdomain.local" and have a valid connection with a valid certificate?


I use to answer cert-requests via the web-GUI on my AD server (https://my-server.mydomain.local/certsrv). But setting up the server is a completely other beast!



Your Windows CA server (2012 in my case) has to support alternative DNS-entries. Prepare your Windows Authority to support certificates with alternative names:

On your Windows Domain and Certificate Server login as Administrator, open a cmd window and paste the following:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
Restart your Certificate Authority. In services restart "Active Directory Certificate Services”.
Now you have to create a Private Key and a Certificate Signing Request (CSR) on your minemeld box, then sign the request in your windows CA (via web-gui), copy the sigend certificate to your minemeld box, create a .pem file on the minemeld box and finally copy the .cer and .pem to the right location. I will go through it step by step (it's up to you transfering files to or from your minemeld server, but I recommend using 'scp' or other tools like putty, SecureCrt or others).
Create a Certificate Signing Request:
Become root on your minemeld server after login as ubuntu:
$ su -
or $ sudo bash
Create a private key:
# openssl genrsa -aes256 -out minemeld.key 2048
- Enter your passphrase
Create a CSR (certificate signing request) - of course you will replace the values with your own:
# openssl req -new -key minemeld.key -sha256 -nodes -subj '/C=DE/ST=NRW/L=Duesseldorf/O=Klauzi Private/OU=Admin Team/CN=minemeld.servers.klauzi.local/emailAddress=admin@klauzi.local' > minemeld.csr
- Enter your pass phrase for the private key (minemeld.key)
# cat minemeld.csr
You will have to copy the whole output of the "cat" command to paste it into the windows certificate signing request dialog.
Sign your CSR:
Open your CA webgui: https://your-ad-server/certsrv, <click> on "Request a certificate", <click> on "advanced certificate request". 
Paste your output from above in the edit box "Saved request", chose "Web Server" as template and edit "Attributes". The string in the "Attributes: edit window" has to be something like: san:parameter=value&parameter=value&parameter=value



Submit and chose "(x) Base 64 encoded" in the next screen before "Download certificate". Save it as minemeld.cer"


Install your certificate on your minemeld box:

Copy the file "minemeld.cer" to your minemeld box via "scp" (or other tool) to your ubuntu account:


$ scp minemeld.cer ubuntu@<>:


On your minemeld box you should now have three minemeld.* files:

- minemeld.key

- minemeld.csr

- minemeld.cer


Next steps are creating a .pem file and copy the files to the nginx config directory and restart the server:


Create .pem file:
# openssl rsa -in minemeld.cer -in minemeld.key -out minemeld.pem - Enter your pass phrase
Backup your files:
# cp /etc/ngnix/minemeld.cer /etc/nginx/minemeld.cer.orig
# cp /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem.orig
Copy the new files to "/etc/nginx/": # cp minemeld.pem minemeld.cer /etc/nginx/ Restart nginx server: # /etc/init.d/nginx restart

That should make it!


L4 Transporter

Hi @Angelo, you have a small typo in the second path for nginx:


[minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/ngnix/minemeld.cer-orig
[minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/ngnix/minemeld.pem-orig


Should instead be:


[minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig
[minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/nginx/minemeld.pem-orig

L1 Bithead

Thank you for this post.

I didn't really see the need for transfering the pem/pfx over scp.


1) My base64 private key was encrypted (I generated it from a Palo Alto Firewall). Use the command below to decrypt it:

openssl rsa -in -out ssl.key

2) Copy then edit existing certificate and private over SSH using VIM or nano.

sudo vim minemeld.pem

3) Restart Nginx:

sudo /etc/init.d/nginx restart
L3 Networker

Please capture example certificate & certificate profile configuration

L5 Sessionator

@iThreatHunt: Could you, please, elaborate a bit more your question? Are you looking for a step-by-step guide on how to use PANOS/Panorama as a PKI to generate certificates?

L3 Networker


My Palo cannot access to Minemeld. It show URL access error. I think that the certificate may be wrong and No log in access.log (Minemeld)

L5 Sessionator

@iThreatHunt : Would you, please, take a look at the "Step 5" in the article Using MineMeld to generate IP lists from wildcards . I captured some screenshots of that process.

L1 Bithead

chmod 640 minemeld.pem

L0 Member

Is it possible to generate a certificate without a passphrase for the minemeld server?   The PA cert requires a passphrase, and when I install it on minemeld, nginx comes up and shows the new cert in my browser but still says it's invalid, I think because nginx does not have the passphrase when starting.

L0 Member

I found the answer on Digicert.   It's fairly simple one liner to remove the key from the passphrase.


#openssl rsa -in minemeld.key -out minemeldinsecure.key

- Enter your passphrase


It will prompt you for the original passphrase then create the new file without one.  

  • 270 Subscriptions
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎01-26-2021 01:15 PM
Updated by: