- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
11-08-2022 05:45 AM
When I try to import such certificate I get "Only self signed CA cert can have identical sub and issuer fields" error.
The certificate is not from CA server so I don't have "Back up CA" option as described here:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NUhCAM
I'm aware of this discussion but it's for SAML and it doesn't give answer to basic question as stated in this sbject:
So how can I import a certificate with same subject and issuer field but is not marked as CA? It's a self signed certificate from MS Exchange server which is required for decryption.
11-08-2022 06:10 AM
Good Day!
For decryption, it is needed both the public AND the private key.
For a Windows server, I did a quick search and these seem like the correct steps:
https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key
Once you export the certificate with private key (probably PKCS#12), you can then import the certificate in its entirety.
11-08-2022 09:15 AM
Yes, I know I need private key for decryption. But this isn't the issue here.
The issue is how to import a certificate which has the same subject and issuer field but is not marked as CA?
11-11-2022 06:55 AM
Hello again. You may certainly open a PANW TAC case to see what they suggest. In my experience, I have not been successful in importing a self-signed cert.
11-11-2022 07:22 AM
Hi @santonic ,
That is a great question. I assume you are doing Inbound SSL Decryption and the cert is for the inbound Exchange server. I did not know the NGFW would not import self-signed certs that were not a CA. Could you please let us know the resolution from TAC?
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!