Deploying SSL decryption with Public CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Deploying SSL decryption with Public CA

I am trying to figure out how to deploy SSL decryption. I have it working in a test environment using an in house CA and by importing the cert. into my browser. As we have Firefox users and can't export the Trusted Root CA with a GPO, I am looking for an alternative. As a CA beginner, I am struggling with some of the concepts.

If a buy a cert for a known CA (godaddy - as I like Danica Patrick), can I use that cert on my PA and will the browser trust it? I have PAs at 5 locations (some HA pairs). Do I have to buy 5 certs (or more) or can I share the same cert?

Any advise would be great.

4 REPLIES 4

L4 Transporter

Hi John,

It is not possible to purchase the correct Certificate Authority cert from a trusted public source since only Server certs are sold.  Also, if this were allowed, it would invalidate the trust ecosystem that Certificates are based on, since then it would be possible to do trusted man-in-the-middle attacks out in the wild.

The Palo Alto Networks SSL decryption solution works best when the CA cert is generated from an internal CA that is already trusted in the company or that can be pushed out to the user's browser via global policy.

Cheers,

Kelly

L0 Member

Hi John,

If you use (and you should use) a Trust (internal) CA certificate you need only one cert, the CA cert and you have to import it in every PAN device you have.

Otherwise yuou can generate a Self Signed Certificate or a server certificate issued by your internal CA for every PAN devices you have.

You dont' have to use and import a Trust Root CA in your web browser but a Subordinate CA.

First of all, I suggest you tu have a look some PKI documentation. Undestanding PKI is very important to use effectively PAN SSL-D

L3 Networker

Are you having a problem with Firefox specifically? I was able to get SSL decryption working using our internal CA and IE browsers on the domain, but Firefox does not seem to pick up the CAs in the Windows store, which caused some issues. Not sure if there is a solution to this.

Firefox is the main problem. IE is not really am problem - I can use a GPO for the certs. Chrome uses the same certs as IE, s that works. But our friend Firefox does not seem to have an enterprise solution to management it (for certs or other configs - we had a similar issue when deploying proxy settings).

  • 4401 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!