03-09-2012 01:47 PM
I recently installed a PA-200 at a client's office and setup GlobalProtect for SSL VPN using self-signed certificates. Now that we are ready to roll into production, we'd like to install a trusted SSL certificate. We purchased a certificate from GoDaddy. The CSR was created on IIS7 (on Small Business Server 2008) and successfully used to create the certificate through GoDaddy. When I download the certificate from GoDaddy I get two files.
- gd_bundle.crt (appears to be several GoDaddy Intermediate Certificates)
- host.domain.com.crt (the SSL cert created for my domain)
Where I am confused is how to properly import these certificates so I can use them for the GlobalProtect Portal and Gateway. I am gussing that the format GoDaddy uses must be Base64 Encoded Certificate (PEM) because I have no passphrase from GoDaddy. If I simply import the certificate without the private key, then it imports just fine, but I can't select it within the GlobalProtect Gateway or Portal. If I select the Import Private Key checkbox and select the private key I exported through IIS, then the "Uploading..." window hangs forever until I close the browser.
I wish PA had a nice good for users new to importing certificates so I could understand the correct process. It really shouldn't be this difficult. It would also be very nice if the firewall could create the CSR and eliminate the need to use OpenSSL or IIS.
Thanks in advance to anyone who can save the day for me.
BJ
03-10-2012 08:01 AM
Hi...Since you purchased the SSL cert, you may have generated the CSR on you IIS server and selected a passphrase during the CSR creation. This passphrase is your password so it wouldn't be provided by GoDaddy. The passphrase is required to export/import the private key from IIS into the PA device.
Typically the private key is stored where you generated the CSR. If this is on IIS, you need to export the private key from IIS using your selected passphrase, convert the key from .pfx to .pem format using openssl, and import the private along with your host.domain.com cert into the PA device.
You can reference this guide for help on the IIS export: https://live.paloaltonetworks.com/docs/DOC-1223
Thanks.
04-17-2012 05:46 AM
Hi,
I had a similar problem
< then the "Uploading..." window hangs forever until I close the browser
and in my case, I was able to import the certificate and the key if I used the Internet Explorer but it didn´t work with the Firefox (I was able to import certificates with the FF, but not certs with the private keys)
BR
04-19-2012 01:02 PM
I had the same problem when using Firefox. As already suggested, use IE or do it from the command line using "tftp import keypair". Pkcs12 format is fine ... you don't need to use PEM. Jeff
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
