about certificate expired date

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

about certificate expired date

L4 Transporter

Hi All,

Is there any way to custom certificate expired date that generate by paloalto itself ?  I saw it on webpage that is too short, it only have six monthes.

Thanks.

Regards,

Joy

1 accepted solution

Accepted Solutions

Hi Joy,

If you are doing SSL Decryption as mikand says, the certificate that the firewall presents is just copied from the server. The domain name (common name) and expiration date (validity period) are copied from the destination server's certificate, with the issuer being the Palo Alto Networks firewall.

If you are managing the firewall and seeing the 6-month expiration date, that is something I have not seen. I doubt your PC date is wrong or you would have errors on nearly every public HTTPS site. You could always regenerate the certificate, but it sounds like you already verified it is a 10-year cert.

Can you give us more details about what the certificate is used for and when you see it?

-Greg

View solution in original post

5 REPLIES 5

L7 Applicator

Hi Joy,

If you are running version 5.0.0 or higher, you can specify the expiration in the Generate dialog box.

If you are running a version prior to 5.0.0, there is no way to customize the expiration date directly on the firewall. You can create the certificate externally (OpenSSL, Microsoft Certificate Server, etc.) and import the private & public keys. Those externally-generated certificates can use any expiration you would like.

I am not sure why you are seeing a 6 month expiration date though. On 4.1.9, the default expiration date for a newly created certificate is ten years.

Regards,

Greg Wesson

Also is this question regarding the https for mgmt-plane or certificates generated on the fly when you use ssl decrypt?

If its the later then the PA will just copy the expiration date from the external cert into the internal (on the fly generated) cert. This internal cert is then signed by the CA you imported into the PA (and the client have this CA public cert added as trusted CA).

Hi Greg,

Thanks for reply, I saw a 6 month expiration date on client IE browser, but truly, it shows 10 years expiration date on PA after I generate it, it's the point that I confuse.

In addition, the PA is running PanOS 4.1.9.

Regards,

Joy

Hi Joy,

If you are doing SSL Decryption as mikand says, the certificate that the firewall presents is just copied from the server. The domain name (common name) and expiration date (validity period) are copied from the destination server's certificate, with the issuer being the Palo Alto Networks firewall.

If you are managing the firewall and seeing the 6-month expiration date, that is something I have not seen. I doubt your PC date is wrong or you would have errors on nearly every public HTTPS site. You could always regenerate the certificate, but it sounds like you already verified it is a 10-year cert.

Can you give us more details about what the certificate is used for and when you see it?

-Greg

Hi Greg,

Thanks for reply, after confirm it again, I see the correct info about expiration date that is 10 years. the 6 month expiration date that I saw should be  signed from PA for client use.

I am sorry about that, and thanks for your helping.

Regards,

Joy

  • 1 accepted solution
  • 6374 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!