Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

GesoTrust Intermediate Certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GesoTrust Intermediate Certificate

L1 Bithead

Hi,

 

We're having some issues with the Intermidiate certificate that we're using in one of our servers when trying to connect to it passing trough your firewall (installed in our client's system).

 

Our certificate provider is GeoTrust Inc. and I've been reading that there may be some problems with your firewall when using it.

Since only 2 users from our client will be connecting to this server; is there a way to generate this certificates manually and install them on their computers?

 

Any help will be greatly appreciated because I'm a little out of my depth here.

 

Kind Regards, Guillermo.

1 accepted solution

Accepted Solutions

I am a bit confused about your setup/requirements but generally, Palo (when doing decryption) will forward trust and untrust certs to the client. This video helped me to understand same as community:-) Do you have that server available on Internet, if yes this website will help you to check server ssl cert and much more:

 

https://www.ssllabs.com/ssltest/

 

https://www.youtube.com/watch?v=7o3Pjhs1qxM

View solution in original post

8 REPLIES 8

L7 Applicator

What type of connection is the PA brokering for your server?

 

Is the PA performing decryption on your traffic?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

If no decryption implemented Palo wouldn't care about the SSL traffic and the cert used by clien/server as @pulukas mentioned. If you do have a decryption then this post might help you:

 

https://live.paloaltonetworks.com/t5/General-Topics/SSL-Decryption-issue-wrong-certificate/m-p/14130...

 

I just forwarded those 2 questions to our client.

 

As soon as I get a reply, I'll Post here.

 

Thank you so much for your help!

Than you for the link!

 

I still don't know about the decryption (waiting on response from client), but I'm gonna check it out just in case.

 

Than so much you for the response !

Hi,

 

I just got an answer, apparently PA is performing ssl decryption for my client. PA manages the firewall.

 

 

I've also been told that whitelisting this certificate "wouldn't be a good idea" so that's not an option to me.

 

Any ideas on how to proceed?

 

Thanks in advance.

 

I am a bit confused about your setup/requirements but generally, Palo (when doing decryption) will forward trust and untrust certs to the client. This video helped me to understand same as community:-) Do you have that server available on Internet, if yes this website will help you to check server ssl cert and much more:

 

https://www.ssllabs.com/ssltest/

 

https://www.youtube.com/watch?v=7o3Pjhs1qxM

Thank you so much!!

 

I checked our server with the website you linked and it came up with tons of warning messages.

 

TLS 1.2 -> NO

TLS 1.1 -> NO

TLS 1.0 -> Yes

SSL 3 INSERCURE -> Yes  --> I Think this may be it

SSL 2 -> NO

 

I'll forward the full report to our server provider to see what can be done.

 

Thank you so much for your help. 

 

 

Looks like you need to fix the server certificate and/or exclude it from the decryption.

  • 1 accepted solution
  • 4006 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!