How to import certificate with same subject and issuer field which is not marked as CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to import certificate with same subject and issuer field which is not marked as CA

L6 Presenter

When I try to import such certificate I get "Only self signed CA cert can have identical sub and issuer fields" error.

 

The certificate is not from CA server so I don't have "Back up CA" option as described here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NUhCAM

 

I'm aware of this discussion but it's for SAML and it doesn't give answer to basic question as stated in this sbject:

https://live.paloaltonetworks.com/t5/general-topics/quot-only-self-signed-ca-cert-can-have-identical...

 

So how can I import a certificate with same subject and issuer field but is not marked as CA? It's a self signed certificate from MS Exchange server which is required for decryption. 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

Good Day!

 

For decryption, it is needed both the public AND the private key. 

For a Windows server, I did a quick search and these seem like the correct steps:

 

https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key

 

Once you export the certificate with private key (probably PKCS#12), you can then import the certificate in its entirety.

Help the community: Like helpful comments and mark solutions

L6 Presenter

Yes, I know I need private key for decryption. But this isn't the issue here.

 

The issue is how to import a certificate which has the same subject and issuer field but is not marked as CA? 

L6 Presenter

So nobody ever tried nor succeeded in this? 

Cyber Elite
Cyber Elite

Hello again.  You may certainly open a PANW TAC case to see what they suggest.  In my experience, I have not been successful in importing a self-signed cert. 

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

Hi @santonic ,

 

That is a great question.  I assume you are doing Inbound SSL Decryption and the cert is for the inbound Exchange server.  I did not know the NGFW would not import self-signed certs that were not a CA.  Could you please let us know the resolution from TAC?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 5497 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!