03-27-2017 01:10 PM - edited 03-27-2017 01:33 PM
Hi,
Just did recently. I used COMODO (think it is 4-5 £ per year). So generated CSR, sent to comodo. Received back signed cert (did only DV check) imported the cert to the firewall as well as the private key (i used .txt file). Private key will be encrypted l think by Master Key on PA. Created an SSL Profile and used with GP configuration.
03-27-2017 01:38 PM
yeah I believe I only need to add the key not the cert.
03-27-2017 01:48 PM
When using a public CA, the chain is vitally important to get right. It can be done wrong, and cause some issues. Here's a doc I wrote a few years that goes into the details:
03-27-2017 01:55 PM
I am using a internal CA , we have our own CA server setup in our networkl I created the key on it
03-29-2017 09:38 AM
so do i choose import and then browse to the key or do I need to chain it to the CA that is already installed on the PA
03-29-2017 09:54 AM
So l had a .crt certificate + .txt private key. Imported both and everything works as it should
03-29-2017 12:50 PM
There is already an existing .crt on the box I just need to add the key but I am not sure what the right procedure is
03-29-2017 02:02 PM
As far as l know you should have your private key as a separate file and while importing the certificate into the box use the option to add a private key as below:
When you finish you should see cert with private key uploaded and ready to be used:
If you uploaded the cert without the key l don't think you can use it as you will not be able to decrypt the data.
Re-upload the cert same time importing the private key.
03-29-2017 02:09 PM
Okay that makes sense and thanks for the screen shots. So are you basically chain it to the existing cert?
03-29-2017 02:37 PM
l don't really know what exactly is happening behind the scenes but to me you uploading a digital certificate (its signed by trusted authority as well as contains a public key):
When SSL handshake is completed, the client will encrypt the data with the Public Key taken from the cert. For you to be able to decrypt you need to have a private key. Is it chained with cert when you uploading or not I am not sure and don't know much about the certs format. Sorry
03-29-2017 05:03 PM
if I am understanding everything correctly, if you've already generated the CSR on the PA and thus it already has the private key installed, then yes, just import the public key from the CA. The PA should marry the two automatically.
03-30-2017 06:10 AM
I have my own trusted root CA server and can generate my own certs and keys. Currently it has a the trusted root CA certificate installed and I want to add another key for another global protect portal on the PA and would like to add a cert and key to it.
03-30-2017 07:49 AM
so then generate a new certificate, making sure you don't check the CA button to create and export the CSR, run the CSR through your enterprise CA and then import the resulting public key.
03-31-2017 09:30 AM
can I add a key to an existing csr since we have global one?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
