I have a PA500 (OS 5.0.11)
I already configured it for SSL Decryption with a self signed certificate.
I need to use a Digicert Certificate. I already have a wildcard certificate with Digicert.
Question is: can I use my wildcard certificate for SSL Decryption?
I try to import my certificate but I cannot use it for SSL Decryption
For SSL decryption you'll need a CA certificate as it will be posing as the signing certificate of the websites the users are accessing.
A document that may come in handy
I follow this guide and I create a pkcs12 chained certificate with this command:
openssl pkcs12 -export -in [certificate.pem] -inkey [certificate.key] -CAfile [chain.cer] -caname digicert -out [server-chain.p12] -name digicert -chain
but when I import my certificate (IMPORTANT: it is a web server certificate) it is not recognized as a CA.
I think problem is that my certificate was request for a web server.
If I try to install DigiCert CA root certificate it is recognized as a CA but I cannot use it for decryption.
You cannot use a certificate from a public CA like VeriSign or Digicert. A public CA will never give a subordinate (intermediate) CA certificate to someone outside their trust. With a subordinate certificate, you can create new certs that are trusted to the root, even for existing and common sites.
For SSL decryption, you need to use an internal CA certificate or generate a self-signed certificate on the firewall and use that. In both instances, you will need to distribute the public key of that certificate to all clients you wish to be decrypted.
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!