Creating New Cert from local trusted root CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Creating New Cert from local trusted root CA

Cyber Elite
Cyber Elite

i have local trusted root CA on the PA.

Also i have ssl decryption cert on the PA.

 

Is it possible i can create new cert from root and use it for web gui?

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

Do you have private key of same certificate inside PA ? . then only you can use the certificate for web access

View solution in original post

Abdul eluded to it - you can't generate a new cert from that root without the private key. If that was a thing you could do, you could just grab GoDaddy or Letsencrypt's public root cert and create a valid cert for any domain. It's a fundamental part of PKI - ff you don't have the private key, you can't sign a new cert issued by that CA.

View solution in original post

8 REPLIES 8

L4 Transporter

You can generate a new certificate for GUI as well, but you need not to. you can use the same root cert for GUI as well. call it under ssl/tls service profile. use it under management configuration.

it do not work.

under ssl/tls profile the CA root ceret does not show up?

MP

Help the community: Like helpful comments and mark solutions.

Do you have private key of same certificate inside PA ? . then only you can use the certificate for web access

No CA root cert has no private key checked.

MP

Help the community: Like helpful comments and mark solutions.

any one can answer this?

MP

Help the community: Like helpful comments and mark solutions.

Abdul eluded to it - you can't generate a new cert from that root without the private key. If that was a thing you could do, you could just grab GoDaddy or Letsencrypt's public root cert and create a valid cert for any domain. It's a fundamental part of PKI - ff you don't have the private key, you can't sign a new cert issued by that CA.

Many thanks for answering the question.

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

Besides the fact that the whole trust system of the PKI wouln't work if everyone could sign certs with a publoc key, the money-making machine of the public CA also wouln't work 😉

  • 2 accepted solutions
  • 3476 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!