External CA Certificate Options Greyed Out

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

External CA Certificate Options Greyed Out

L3 Networker

Hi guys,

 

I've followed the documentation on how to generate a CSR (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Generate-a-CSR-Certificate-Signin... but when importing the certificate I'm only able to select one option, as shown below.

 

 

Could you please help explain why they're greyed out?

 

Thanks

 

4 REPLIES 4

L3 Networker

Edit:

 

I'm trying to use this External CA for SSL Forward Proxy.

 

 

Your images didn't come through for some reason, but in general the reason for this is because the CSR wasn't signed with the CA option (ca=true). If it's not a CA cert, it cannot be used for forward decryption. 

 

You will be unable to get a CA cert from a public authority (like Symmatec or GoDaddy). No public CA will give a private party a certificate that can be used to issue new, trusted certificates. 

 

You'll need to use an internal CA, or create a self-signed CA cert on the firewall and distribute that to your users.

 

Cheers,

Greg

Ah that's a shame.

 

I'm sure I can use an External CA for SSL Forward Proxy, I just needed to mark the certifcate as the Trusted Root CA, as well as Forward Trust and Untrust. This wasn't done and should work otherwise..?

 

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/decryption/configure-ssl-forward-pro...

 

Regarding the screenshots, I had tried to edit the subordinate certificates which you can't change as they're generated off of the back of the Trusted Root cert.


Thanks 
Jack

For firewall to be able to sign certificates on the fly for forward proxy to work you need CA or intermediate CA certificate.

Public CA's will not allow you to be their intermediate because this would completely brake SSL model (you could decrypt anyones SSL traffic).

For that reason you either generate CA and push it out with Group Policy or generate CA certificate and sign it with your domain CA (then root will be domain CA and fw cert will be intemediate).

If you take second path then you don't have to push fw cert to anyware as your domain computers already trust domain root CA.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 5048 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!