Forward Trust Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Forward Trust Certificate

L1 Bithead

Hi,

In my office environment, we have an internal certificate that we have been using prior to installing PAN device. Lately after installing PAN, our office staff are always getting certificate warnings whenever they visit a SSL enabled website.

I read in the PAN documents that a self-signed certificate generated by PAN firewall will eliminate this certificate warnings. My question is, do I need to generate a new self-signed certificate or can I use our internal certificate for connection to Internet?

Thanks

1 accepted solution

Accepted Solutions

L3 Networker

Suhaimi,

Whenever there are certificate warnings with SSL websites, it means there's something about the certificate presented that the client browsers do not trust.

You should be able to use the existing certificate as long as you import the cert into your firewall along with its private key, and that certificate is included in the Trusted Root CA store on your staff's workstations (if it is a root CA certificate).

If the existing certificate is not a root CA cert, make sure that you also import the root CA's cert that signed that certificate into the PAN. If this step is not done, the firewall will not pass the entire certificate chain to the internal hosts and since the infomation about the root CA is missing, there would always be a warning that the cert is not trusted.

Here are some documents related to this problem and how to chain a certificate with its root cert to be imported into the PAN.

https://live.paloaltonetworks.com/docs/DOC-2287

https://live.paloaltonetworks.com/docs/DOC-1327

https://live.paloaltonetworks.com/docs/DOC-4289

Regards,

tasonibare

View solution in original post

1 REPLY 1

L3 Networker

Suhaimi,

Whenever there are certificate warnings with SSL websites, it means there's something about the certificate presented that the client browsers do not trust.

You should be able to use the existing certificate as long as you import the cert into your firewall along with its private key, and that certificate is included in the Trusted Root CA store on your staff's workstations (if it is a root CA certificate).

If the existing certificate is not a root CA cert, make sure that you also import the root CA's cert that signed that certificate into the PAN. If this step is not done, the firewall will not pass the entire certificate chain to the internal hosts and since the infomation about the root CA is missing, there would always be a warning that the cert is not trusted.

Here are some documents related to this problem and how to chain a certificate with its root cert to be imported into the PAN.

https://live.paloaltonetworks.com/docs/DOC-2287

https://live.paloaltonetworks.com/docs/DOC-1327

https://live.paloaltonetworks.com/docs/DOC-4289

Regards,

tasonibare

  • 1 accepted solution
  • 2494 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!