12-05-2012 09:00 AM
Hi All,
Is there any way to custom certificate expired date that generate by paloalto itself ? I saw it on webpage that is too short, it only have six monthes.
Thanks.
Regards,
Joy
12-10-2012 03:42 PM
Hi Joy,
If you are doing SSL Decryption as mikand says, the certificate that the firewall presents is just copied from the server. The domain name (common name) and expiration date (validity period) are copied from the destination server's certificate, with the issuer being the Palo Alto Networks firewall.
If you are managing the firewall and seeing the 6-month expiration date, that is something I have not seen. I doubt your PC date is wrong or you would have errors on nearly every public HTTPS site. You could always regenerate the certificate, but it sounds like you already verified it is a 10-year cert.
Can you give us more details about what the certificate is used for and when you see it?
-Greg
12-05-2012 12:12 PM
Hi Joy,
If you are running version 5.0.0 or higher, you can specify the expiration in the Generate dialog box.
If you are running a version prior to 5.0.0, there is no way to customize the expiration date directly on the firewall. You can create the certificate externally (OpenSSL, Microsoft Certificate Server, etc.) and import the private & public keys. Those externally-generated certificates can use any expiration you would like.
I am not sure why you are seeing a 6 month expiration date though. On 4.1.9, the default expiration date for a newly created certificate is ten years.
Regards,
Greg Wesson
12-05-2012 02:14 PM
Also is this question regarding the https for mgmt-plane or certificates generated on the fly when you use ssl decrypt?
If its the later then the PA will just copy the expiration date from the external cert into the internal (on the fly generated) cert. This internal cert is then signed by the CA you imported into the PA (and the client have this CA public cert added as trusted CA).
12-09-2012 01:51 AM
Hi Greg,
Thanks for reply, I saw a 6 month expiration date on client IE browser, but truly, it shows 10 years expiration date on PA after I generate it, it's the point that I confuse.
In addition, the PA is running PanOS 4.1.9.
Regards,
Joy
12-10-2012 03:42 PM
Hi Joy,
If you are doing SSL Decryption as mikand says, the certificate that the firewall presents is just copied from the server. The domain name (common name) and expiration date (validity period) are copied from the destination server's certificate, with the issuer being the Palo Alto Networks firewall.
If you are managing the firewall and seeing the 6-month expiration date, that is something I have not seen. I doubt your PC date is wrong or you would have errors on nearly every public HTTPS site. You could always regenerate the certificate, but it sounds like you already verified it is a 10-year cert.
Can you give us more details about what the certificate is used for and when you see it?
-Greg
12-11-2012 05:36 PM
Hi Greg,
Thanks for reply, after confirm it again, I see the correct info about expiration date that is 10 years. the 6 month expiration date that I saw should be signed from PA for client use.
I am sorry about that, and thanks for your helping.
Regards,
Joy
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
