02-06-2019 12:11 PM
we have ssl decryption enabled and using our own CA as Internal Root Certificate.
For webgui we get cert warning can i use same cert for Web gui to PA?
02-07-2019 05:52 AM
Hi @MP18 ,
certicate error can be because of
About decryption certificate,
please note that you wil get certificate error if the certificate was note issued by a trusted root CA by your browser/PC.
As no CAs will be providing a certificate with CA flag ( capable of signing certificate) because of security reasons, you will be generating this in PA, which means it is self signed, so it is not trusted by any browser/machine otherthan this PA unless you manually import this cert in PC/browsers trusterd authority.
so when you use this cert for web GUI, it is expected that you will get the error. you can just use it
If you want a trusted certificate for your web access to avoid warning, you can get it from any of trusted CA, need put one of fqdn/ip in common name field, add other one alternative name. import in palo alto, use it for web access. this is cost involved..
02-07-2019 12:38 PM - edited 02-07-2019 12:38 PM
Then the warning is expected. As I said previously, the browser will give a warning if the proper name or IP address is not the CN or included as a SAN entry.
02-06-2019 02:07 PM
The cert you use for the gui will cause warnings for the same reason that any cert does. If the cert used for the gui is issued by an authority that your endpoint trusts, has the correct name and isn't expired, it shouldn't cause a warning.
For the gui, I create a cert with the firewall fqdn as the subject with SAN entries for the fqdn, firewall name and IP address. This tends to catch how we connect to the gui and eliminates errors.
02-06-2019 02:10 PM
i already have Trusted Root CA that all pc trusts.
SSL decrypt cert is created from the root as intermediate.
So ok to use that for gui?
02-06-2019 02:44 PM
You can use any certificate for the gui, just select it in the TLS profile you use for the web management. But if you re-use a cert that was meant for something else, you may still get warnings.
If the current cert has a subject of firewall.company.com and you access the gui with 10.1.1.1, you'll still get a warning from the browser since the address doesn't match the info on the cert.
02-07-2019 12:32 AM
Yea..you can use it for GUI as well,
the certificate you are using for forward proxy should be a CA certificate ( certificate signing should be selected under key usage while generating certificate). once you select this certificate as forward trust/untrust, this certificate will be used for proxying accordingly.
The certificate used for web GUI need not to sign any other certificates, it just need to be end entity, even you can use a CA certificate as well for this purpose.
Just create a ssl/tls profile and call this certificate under. use this profile in management configuration.
02-07-2019 04:54 AM
I tried to use my current ssl decrtypt cert also as web gui
then i login to PA it still gives me warning message not trusted?
02-07-2019 05:52 AM
Hi @MP18 ,
certicate error can be because of
About decryption certificate,
please note that you wil get certificate error if the certificate was note issued by a trusted root CA by your browser/PC.
As no CAs will be providing a certificate with CA flag ( capable of signing certificate) because of security reasons, you will be generating this in PA, which means it is self signed, so it is not trusted by any browser/machine otherthan this PA unless you manually import this cert in PC/browsers trusterd authority.
so when you use this cert for web GUI, it is expected that you will get the error. you can just use it
If you want a trusted certificate for your web access to avoid warning, you can get it from any of trusted CA, need put one of fqdn/ip in common name field, add other one alternative name. import in palo alto, use it for web access. this is cost involved..
02-07-2019 08:57 AM
What are the common name and the SAN entries for the certificate? Do any of those match the URL of the web GUI?
02-07-2019 11:54 AM
No common name does not match the webgui for the firewall.
SSL decryption has different common name
02-07-2019 12:38 PM - edited 02-07-2019 12:38 PM
Then the warning is expected. As I said previously, the browser will give a warning if the proper name or IP address is not the CN or included as a SAN entry.
02-07-2019 07:38 PM
Many Thanks for help
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
