04-26-2019 12:22 AM
Hello.
I'm having an issue with a setup of decryption.
we have a custoemr who wants decryption. and they also have an entreprise CA.
to have the least user impact they wanted to use an entreprise signed certificate for their ssl forward trust.
I created a certificate as explained on palo alto resources
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/decryption/configure-ssl-forward-proxy
so far so good.
I sent the csr to our customer.
when I got it back( .cer) file I got an issue because it was not base 64 encoded. but could resolve it via this link:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGSCA0
afterwards I managed to get the certificate uploaded.
however:
for the certificate the "key" checkbox is checked, but the "ca" checkbox is not. --> despite PA resources telling me it should be checked after the import(see first link step 3.4.d
when opening the certificate all options( ssl forward trust, untrust, etc are greyed out. the only option I can select is "certificate for secure syslog"
I'm starting to think the issue lies with the entreprise CA. or how teh certificate was signed. but wanted to make sure. perhaps someone on this forum knows more?
04-26-2019 10:29 AM
The enterprise CA that signed the CSR failed to ensure it is a actually a CA cert, sometimes known as a Signing cert or Delegation cert. It's not very obvious in that document, so it can be missed.
When you send the CSR to the enterprise CA, they must make it a signing/delegation/ca certificate or it cannot be used to sign the on-the-fly certificates the firewall generates when doing decryption. Without that, it is just a normal server certificate.
You don't have to go through the whole process again, you can just have the CA re-sign the CSR you gave, ensuring it is a CA cert as well.
04-26-2019 10:29 AM
The enterprise CA that signed the CSR failed to ensure it is a actually a CA cert, sometimes known as a Signing cert or Delegation cert. It's not very obvious in that document, so it can be missed.
When you send the CSR to the enterprise CA, they must make it a signing/delegation/ca certificate or it cannot be used to sign the on-the-fly certificates the firewall generates when doing decryption. Without that, it is just a normal server certificate.
You don't have to go through the whole process again, you can just have the CA re-sign the CSR you gave, ensuring it is a CA cert as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
