Current SSL Certificate best practices?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Current SSL Certificate best practices?

L4 Transporter

Greetings all,


We're getting close (hopefully) to rolling out our PAN boxes and I'm working on getting together information to pass up the chain on features like SSL Decryption and SSL certificate security.


I've got a few questions concerning best practices on certification generation on the PAN boxes and how the certs are used:


  1. Are PAN admins largely sticking with RSA or is the ECDSA support out there come far enough that it is the overall better option for features like SSL Decryption, Globalprotect, etc?  Along those same lines, I'm curious what admins are using as far as Number of bits and digest on cert generation or are most people using the default 2048/sha256?
  2. For those using Globalprotect and SSL Decryption, is it considered best practice to create a single CA cert that is both the trusted Forward Proxy cert AND the signer for the GP gateway sub-certs?  Or is it generally considered better to have the Forward Proxy cert be different and then push it out along with the gateway CA in the GP portal agent config?

  3. On that note, since each gateway needs it's own cert, for those using a single portal that gives access to multiple gateways is it better to push out the CA that signed all of the gateway certs or the individual gateway certs themselves?

Hope that all makes sense?  I've been reading up on the articles and the tech notes but I wasn't able to find anything to clarify these questions.






L7 Applicator

1. RSA is good for backward compatibility, but ECDSA is higher security and newer tech. If your users are largely going to be clients using browsers, I'd opt for ECDSA.


2. Either is fine, there is no functional difference. Some admins prefer to separate the duties of the certificates (finer control but more management) and others prefer simplicity. There is no difference at all. It's worth saying that you can use a public CA for the GP gateway and portal as long as you're using hostnames instead of IPs, and that makes the deployment easier as there's nothing needed to push to the clients.


3. I'd push both. There's no reason to not include every CA in the chain when pushing it. However, if your GP portal & gateway certs are signed by a public CA you won't need to push anything to the clients as they'll automatically trust them.


Thanks for the reply gwesson.


Has anyone run into any issues using ECDSA?  And has anyone encountered any real-world performance issues by using the higher bits and/or better digests?


While playing around with ECDSA generation this morning I noticed the Forward Trust and Forward Untrust are greyed out and not selectable even when the cert is a CA and Trusted Root CA.  Is SSL Forwrad Proxy decryption not supported with ECDSA certs?  I'm currently using the 7.1.6 release.



  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!