02-22-2013 04:00 AM
Hello
Which attributes shall an external CA certificate have to be accepted as a Secure Web GUI Certificate?
I have imported one, but SSL Management doesn't work with it. These are its attributes:
Version: 3 (0x2)
Serial Number:
15:28:3b:46:00:00:00:02:38:da
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=int, DC=company, CN=company
Validity
Not Before: Feb 20 17:16:16 2013 GMT
Not After : Feb 18 17:16:16 2021 GMT
Subject: C=es, ST=ada, L=ada, O=., OU=Sistemas de Informaci\xC3\xB3n, CN=pa-intx.company.int
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a8:03:53:ba:6c:cf:63:fe:1e:b3:90:47:b1:32:
00:f6:7b:f3:28:40:10:81:50:b2:6f:ea:97:e4:ec:
7f:1b:9b:d3:30:d5:e8:fe:3e:d1:6d:ca:04:31:47:
d3:2c:fe:30:97:54:dd:ee:79:b8:55:d1:74:cc:ef:
38:7b:80:b9:c0:f5:0c:a4:f5:0c:09:2a:ce:70:3f:
0e:b9:b8:4b:f7:5d:4f:c6:e4:80:2c:e8:cd:7e:c5:
ae:25:51:0f:34:81:26:43:82:1f:61:7f:8a:a7:d6:
e4:fb:88:3a:34:3f:52:93:f7:2d:c6:b4:ca:09:ac:
6a:1a:d0:f9:bb:4f:92:6b:21:e3:99:a4:26:a1:da:
8a:dd:71:10:ee:6c:86:b1:3b:b4:b5:3a:27:63:ce:
0b:0d:5c:ef:80:22:60:cd:0e:56:5d:7b:79:1e:01:
25:1b:ba:a2:90:27:8f:55:18:a2:ca:c0:9c:a0:b0:
7f:85:7f:27:ff:4c:d4:39:65:2b:11:d2:b9:fe:aa:
4f:10:9f:96:73:29:73:28:91:b0:49:19:f2:33:f1:
77:bc:1b:64:37:ce:18:b9:62:2f:37:b2:4e:91:47:
9a:3e:8e:de:b3:c3:13:e2:42:80:92:3b:1b:99:5f:
00:89:56:91:94:bb:0f:86:fd:9a:0d:d2:d8:bb:14:
d3:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
B9:3D:01:81:2B:13:00:A3:B7:7A:59:B1:46:C6:33:9E:34:B0:7D:B4
X509v3 Authority Key Identifier:
keyid:09:9A:47:A9:5C:87:E0:B3:41:04:3F:55:21:24:06:1C:A0:EC:3C:BC
X509v3 CRL Distribution Points:
URI:ldap:///CN=company,CN=escullos01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company,DC=int?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://escullos01.company.int/CertEnroll/company.crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=company,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=company,DC=int?cACertificate?base?objectClass=certificationAuthority
CA Issuers - URI:http://escullos01.company.int/CertEnroll/escullos01.company.int_company.crt
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0..&+.....7.....<...1...$.......|./..d...<..d...
X509v3 Extended Key Usage:
TLS Web Client Authentication
1.3.6.1.4.1.311.21.10:
0.0
These are the ones from de Internal Palo Alto Certificate:
[redes@gollum Certificados]$ openssl x509 -in Cert_Interno_Pa_Intx.cer -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
d9:4d:91:9b:17:e4:0c:4c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Sunnyvale, O=Palo Alto Networks, OU=Support, CN=localhost/emailAddress=support@paloaltonetworks.com
Validity
Not Before: Jul 12 22:18:24 2010 GMT
Not After : Jul 11 22:18:24 2020 GMT
Subject: C=US, ST=CA, L=Sunnyvale, O=Palo Alto Networks, OU=Support, CN=localhost/emailAddress=support@paloaltonetworks.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:5c:d2:e2:08:9d:de:8f:4f:7f:a5:d5:99:34:
ed:4a:7e:39:f5:88:1b:19:33:e8:2b:cb:4d:cd:e3:
62:b8:78:8f:c7:1a:76:23:81:5b:09:7a:90:5a:d4:
8f:43:07:9e:47:5b:4d:35:13:68:ae:f3:cd:47:5b:
9b:dc:78:a1:cb:49:cf:27:27:1b:fa:21:50:54:5c:
94:7a:5f:42:2b:2c:2c:51:7f:6e:9a:de:89:c0:3c:
29:1d:2c:34:05:a4:68:85:56:42:79:e2:db:31:f1:
6d:25:84:5b:d1:de:4a:f9:aa:8d:8d:00:e3:9f:b5:
c3:73:38:1a:f7:a6:91:69:d1
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
1a:a3:44:23:8b:01:cb:44:fd:68:41:3a:70:67:bf:03:09:40:
19:c7:9d:06:f8:b9:2b:93:b7:91:f3:da:7e:eb:9e:7a:ca:59:
dc:ea:57:35:c1:5b:d4:f6:de:88:06:3a:27:7f:d9:c0:ec:da:
bd:01:b9:95:4e:76:2c:2b:cd:be:d0:bc:fa:85:9c:95:d8:6f:
74:e8:7e:3b:9e:58:b1:4b:9e:45:36:21:cc:35:8a:a0:2b:46:
28:a1:f5:52:c1:f0:cd:cd:07:0e:7d:b4:03:bc:54:e2:26:a6:
5f:ca:3a:88:3e:dc:a7:97:13:9a:24:68:a0:4a:a2:24:27:3d:
0b:df
02-22-2013 10:24 AM
Two questions:
1. Was the private key imported with the certificate?
2. If yes, what is the error message (if any) that you receive when trying to select that certificate as the Web GUI Certificate?
I also noticed that you have an accent in the OU field "Informaci\xC3\xB3n". While that should work, you may want to try regenerating it without the accent mark over the o.
As long as the certificate has the private key, you should be able to use it. It does not need to be a CA certificate.
Hope this helps!
Greg
02-25-2013 03:14 AM
1.- Yes, the private key s included
2 .- There's no error. The GUI does not respond after applying the Commit, though telnet to 443 por is answering.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
