12-23-2013 08:49 PM
Hi,
In my office environment, we have an internal certificate that we have been using prior to installing PAN device. Lately after installing PAN, our office staff are always getting certificate warnings whenever they visit a SSL enabled website.
I read in the PAN documents that a self-signed certificate generated by PAN firewall will eliminate this certificate warnings. My question is, do I need to generate a new self-signed certificate or can I use our internal certificate for connection to Internet?
Thanks
12-24-2013 02:58 AM
Suhaimi,
Whenever there are certificate warnings with SSL websites, it means there's something about the certificate presented that the client browsers do not trust.
You should be able to use the existing certificate as long as you import the cert into your firewall along with its private key, and that certificate is included in the Trusted Root CA store on your staff's workstations (if it is a root CA certificate).
If the existing certificate is not a root CA cert, make sure that you also import the root CA's cert that signed that certificate into the PAN. If this step is not done, the firewall will not pass the entire certificate chain to the internal hosts and since the infomation about the root CA is missing, there would always be a warning that the cert is not trusted.
Here are some documents related to this problem and how to chain a certificate with its root cert to be imported into the PAN.
https://live.paloaltonetworks.com/docs/DOC-2287
https://live.paloaltonetworks.com/docs/DOC-1327
https://live.paloaltonetworks.com/docs/DOC-4289
Regards,
tasonibare
12-24-2013 02:58 AM
Suhaimi,
Whenever there are certificate warnings with SSL websites, it means there's something about the certificate presented that the client browsers do not trust.
You should be able to use the existing certificate as long as you import the cert into your firewall along with its private key, and that certificate is included in the Trusted Root CA store on your staff's workstations (if it is a root CA certificate).
If the existing certificate is not a root CA cert, make sure that you also import the root CA's cert that signed that certificate into the PAN. If this step is not done, the firewall will not pass the entire certificate chain to the internal hosts and since the infomation about the root CA is missing, there would always be a warning that the cert is not trusted.
Here are some documents related to this problem and how to chain a certificate with its root cert to be imported into the PAN.
https://live.paloaltonetworks.com/docs/DOC-2287
https://live.paloaltonetworks.com/docs/DOC-1327
https://live.paloaltonetworks.com/docs/DOC-4289
Regards,
tasonibare
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
