Global Protect with VeriSign Certificates.

Reply
Highlighted
Not applicable

Global Protect with VeriSign Certificates.

Hello,

Can someone please let me know which certificate’s to purchase from VeriSign for Global Protect and if there are any special methods to import them for my portal, gateway and client?

Thanks


Accepted Solutions
Highlighted
L5 Sessionator

Hello,

To answer the certificate import portion, as long as the certificate you get from Verisign is PKCS12 or PEM format, you shouldn't have issues importing it on our gateway. You can do this on the gateway in the WebUI. Device tab -> Certificates -> Import.

For the client, it's different on each OS and each browser, but as long as you import the client certificate in their browser's certificate store, it should be fine.

Thanks,

Jason Seals

View solution in original post


All Replies
Highlighted
L6 Presenter

Personally I wouldnt put the core of my security into the hands of some foreigner, no matter if that foreigner is spelled "Verisign" or something else (on the other hand you are putting your security into the hands of PAN but still :P).

Setting up your own CA is pretty simply.

There is TinyCA (http://tinyca.sm-zone.net/) and also bootable usb-drives who can act as CA (I forgot its name) unless you wish to do this manually with openssl on a ubuntu box or whatever you prefer.

The main thing is then to protect your CA. Make sure you never connect it to any network and keep it locked up in a safebox when you are not around and it will be a better option than to use stuff from Verisign or any other public CA for your Global Protect needs. For added security make sure to use communication one way only (like dont use usb-drives to export the certs/keys, better to burn it on a blanc cdr or such).

Then if you want to do this for real you can check the PCI compliance guidelines and stuff like that.

Highlighted
L5 Sessionator

Hello,

To answer the certificate import portion, as long as the certificate you get from Verisign is PKCS12 or PEM format, you shouldn't have issues importing it on our gateway. You can do this on the gateway in the WebUI. Device tab -> Certificates -> Import.

For the client, it's different on each OS and each browser, but as long as you import the client certificate in their browser's certificate store, it should be fine.

Thanks,

Jason Seals

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!