Cert key import

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cert key import

L4 Transporter

What is the best way to import a key for a globalprotect portal? I already have CA installed.

14 REPLIES 14

L6 Presenter

Hi,

 

Just did recently. I used COMODO (think it is 4-5 £ per year). So generated CSR, sent to comodo. Received back signed cert (did only DV check) imported the cert to the firewall as well as the private key (i used .txt file). Private key will be encrypted l think by Master Key on PA. Created an SSL Profile and used with GP configuration.

yeah I believe I only need to add the key  not the cert. 

When using a public CA, the chain is vitally important to get right. It can be done wrong, and cause some issues. Here's a doc I wrote a few years that goes into the details:

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed...

I am using a internal CA , we have our own CA server setup in our networkl I created the key on it

so do i choose import and then browse to the key or do I need to chain it to the CA that is already installed on the PA

So l had a .crt certificate  + .txt private key. Imported both and everything works as it should 

There is already an existing .crt on the box I just need to add the key but I am not sure what the right procedure is

As far as l know you should have your private key as a separate file and while importing the certificate into the box use the option to add a private key as below:

 

TEST.PNG

 

When you finish you should see cert with private key uploaded and ready to be used:

 

CERT.PNG

 

If you uploaded the cert without the key l don't think you can use it as you will not be able to decrypt the data. 

Re-upload the cert same time importing the private key.

Okay that makes sense and thanks for the screen shots. So are you basically chain it to the existing cert?

l don't really know what exactly is happening behind the scenes but to me you uploading a digital certificate (its signed by trusted authority as well as contains a public key):

 

CERCER.PNG

 

When SSL handshake is completed, the client will encrypt the data with the Public Key taken from the cert. For you to be able to decrypt you need to have a private key. Is it chained with cert when you uploading or not I am not sure and don't know much about the certs format. Sorry

if I am understanding everything correctly, if you've already generated the CSR on the PA and thus it already has the private key installed, then yes, just import the public key from the CA. The PA should marry the two automatically.

 

--
CCNA Security, PCNSE7

I have my own trusted root CA server and can generate my own certs and keys. Currently it has a the trusted root CA certificate installed and I want to add another key for another global protect portal on the  PA and would like to add a cert and key to it.

 

so then generate a new certificate, making sure you don't check the CA button to create and export the CSR, run the CSR through your enterprise CA and then import the resulting public key.

 

https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Generate-a-CSR-Certificate-Signing-Req...

--
CCNA Security, PCNSE7

can I add a key to an existing csr since we have global one?

  • 4269 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!