03-26-2012 12:09 PM
Hello,
Can someone please let me know which certificate’s to purchase from VeriSign for Global Protect and if there are any special methods to import them for my portal, gateway and client?
Thanks
03-26-2012 01:11 PM
Hello,
To answer the certificate import portion, as long as the certificate you get from Verisign is PKCS12 or PEM format, you shouldn't have issues importing it on our gateway. You can do this on the gateway in the WebUI. Device tab -> Certificates -> Import.
For the client, it's different on each OS and each browser, but as long as you import the client certificate in their browser's certificate store, it should be fine.
Thanks,
Jason Seals
03-26-2012 12:54 PM
Personally I wouldnt put the core of my security into the hands of some foreigner, no matter if that foreigner is spelled "Verisign" or something else (on the other hand you are putting your security into the hands of PAN but still :P).
Setting up your own CA is pretty simply.
There is TinyCA (http://tinyca.sm-zone.net/) and also bootable usb-drives who can act as CA (I forgot its name) unless you wish to do this manually with openssl on a ubuntu box or whatever you prefer.
The main thing is then to protect your CA. Make sure you never connect it to any network and keep it locked up in a safebox when you are not around and it will be a better option than to use stuff from Verisign or any other public CA for your Global Protect needs. For added security make sure to use communication one way only (like dont use usb-drives to export the certs/keys, better to burn it on a blanc cdr or such).
Then if you want to do this for real you can check the PCI compliance guidelines and stuff like that.
03-26-2012 01:11 PM
Hello,
To answer the certificate import portion, as long as the certificate you get from Verisign is PKCS12 or PEM format, you shouldn't have issues importing it on our gateway. You can do this on the gateway in the WebUI. Device tab -> Certificates -> Import.
For the client, it's different on each OS and each browser, but as long as you import the client certificate in their browser's certificate store, it should be fine.
Thanks,
Jason Seals
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
