can i use ssl decryption cert for web gui

Reply
Highlighted
Cyber Elite

can i use ssl decryption cert for web gui

we have ssl decryption enabled and using our own CA as Internal Root Certificate.

 

For webgui we get cert warning can i use same cert for Web gui to PA?

MP

Accepted Solutions
Highlighted
L4 Transporter

Hi @MP18 , 

 

certicate error can be because of

  • Not issued by trusted CA
  • Issued to someone else ( cn mismatch)
  • expired...etc

About decryption certificate,

please note that you wil get certificate error if the certificate was note issued by a trusted root CA by your browser/PC.

As no CAs will be providing a certificate with CA flag ( capable of signing certificate) because of security reasons, you will be generating this in PA, which means it is self signed, so it is not trusted by any browser/machine otherthan this PA unless you manually import this cert in PC/browsers trusterd authority.

so when you use this cert for web GUI, it is expected that you will get the error. you can just use it

 

If you want a trusted certificate for your web access to avoid warning, you can get it from any of trusted CA, need put one of fqdn/ip in common name field, add other one alternative name. import in palo alto, use it for web access. this is cost involved..

View solution in original post

Highlighted
L4 Transporter

Then the warning is expected. As I said previously, the browser will give a warning if the proper name or IP address is not the CN or included as a SAN entry.

View solution in original post


All Replies
Highlighted
L4 Transporter

The cert you use for the gui will cause warnings for the same reason that any cert does. If the cert used for the gui is issued by an authority that your endpoint trusts, has the correct name and isn't expired, it shouldn't cause a warning.

For the gui, I create a cert with the firewall fqdn as the subject with SAN entries for the fqdn, firewall name and IP address. This tends to catch how we connect to the gui and eliminates errors.

Highlighted
Cyber Elite

i already have Trusted Root CA that all pc trusts.

SSL decrypt cert  is created from the root as intermediate.

 

So ok to use that for gui?

MP
Highlighted
L4 Transporter

You can use any certificate for the gui, just select it in the TLS profile you use for the web management. But if you re-use a cert that was meant for something else, you may still get warnings.

If the current cert has a subject of firewall.company.com and you access the gui with 10.1.1.1, you'll still get a warning from the browser since the address doesn't match the info on the cert.

Highlighted
L4 Transporter

Yea..you can use it for GUI as well,

the certificate you are using for forward proxy should be a CA certificate ( certificate signing should be selected under key usage while generating certificate). once you select this certificate as forward trust/untrust, this certificate will be used for proxying accordingly.

 

The certificate used for web GUI need not to sign any other certificates, it just need to be end entity, even you can use a CA certificate as well for this purpose.

Just create a ssl/tls profile and call this certificate under. use this profile in management configuration.

Highlighted
Cyber Elite

I tried to use my current ssl decrtypt cert also as web gui

then i login to PA it still gives me warning message not trusted?

MP
Highlighted
L4 Transporter

Hi @MP18 , 

 

certicate error can be because of

  • Not issued by trusted CA
  • Issued to someone else ( cn mismatch)
  • expired...etc

About decryption certificate,

please note that you wil get certificate error if the certificate was note issued by a trusted root CA by your browser/PC.

As no CAs will be providing a certificate with CA flag ( capable of signing certificate) because of security reasons, you will be generating this in PA, which means it is self signed, so it is not trusted by any browser/machine otherthan this PA unless you manually import this cert in PC/browsers trusterd authority.

so when you use this cert for web GUI, it is expected that you will get the error. you can just use it

 

If you want a trusted certificate for your web access to avoid warning, you can get it from any of trusted CA, need put one of fqdn/ip in common name field, add other one alternative name. import in palo alto, use it for web access. this is cost involved..

View solution in original post

Highlighted
L4 Transporter

What are the common name and the SAN entries for the certificate? Do any of those match the URL of the web GUI?

Cyber Elite

No common name does not match the webgui for the firewall.

SSL decryption has different common name

MP
Highlighted
L4 Transporter

Then the warning is expected. As I said previously, the browser will give a warning if the proper name or IP address is not the CN or included as a SAN entry.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!