This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Decryption certificate

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Decryption certificate

diennea
L3 Networker

‎06-25-2014 07:58 AM

Hi,

I have a PA500 (OS 5.0.11)

I already configured it for SSL Decryption with a self signed certificate.

I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.

Question is: can I use my wildcard certificate for SSL Decryption?

How?

I try to import my certificate but I cannot use it for SSL Decryption

Thanks

Regards

0 Likes Likes
5 REPLIES 5

reaper
Cyber Elite
Cyber Elite

‎06-25-2014 08:03 AM

Hi !

For SSL decryption you'll need a CA certificate as it will be posing as the signing certificate of the websites the users are accessing.

A document that may come in handy

How to Implement SSL Decryption

regards

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

diennea
L3 Networker
In response to reaper

‎06-25-2014 08:26 AM

Thanks but in case of a Certification Authority like Verisign or Digicert I need to request a new certificate (signed by them) or I need to import a root certificate?

Thanks

0 Likes Likes

Mystique
L2 Linker
In response to diennea

‎06-25-2014 08:31 AM

In case of CA like verisign or digicert, you need to import chained certificate signed by the Public CA

This document is very helpful:

How to Install a Chained Certificate Signed by a Public CA

diennea
L3 Networker
In response to Mystique

‎06-26-2014 03:26 AM

I follow this guide and I create a pkcs12 chained certificate with this command:

openssl pkcs12 -export -in [certificate.pem] -inkey [certificate.key] -CAfile [chain.cer] -caname digicert -out [server-chain.p12] -name digicert -chain

but when I import my certificate (IMPORTANT: it is a web server certificate) it is not recognized as a CA.

I think problem is that my certificate was request for a web server.

If I try to install DigiCert CA root certificate it is recognized as a CA but I cannot use it for decryption.

0 Likes Likes

gwesson
L7 Applicator
In response to diennea

‎06-26-2014 09:44 AM

You cannot use a certificate from a public CA like VeriSign or Digicert. A public CA will never give a subordinate (intermediate) CA certificate to someone outside their trust. With a subordinate certificate, you can create new certs that are trusted to the root, even for existing and common sites.

For SSL decryption, you need to use an internal CA certificate or generate a self-signed certificate on the firewall and use that. In both instances, you will need to distribute the public key of that certificate to all clients you wish to be decrypted.

Hope this helps,

Greg

  • 4807 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks