This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to import certificate with same subject and issuer field which is not marked as CA

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to import certificate with same subject and issuer field which is not marked as CA

santonic
L6 Presenter

‎11-08-2022 05:45 AM

When I try to import such certificate I get "Only self signed CA cert can have identical sub and issuer fields" error.

 

The certificate is not from CA server so I don't have "Back up CA" option as described here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NUhCAM

 

I'm aware of this discussion but it's for SAML and it doesn't give answer to basic question as stated in this sbject:

https://live.paloaltonetworks.com/t5/general-topics/quot-only-self-signed-ca-cert-can-have-identical...

 

So how can I import a certificate with same subject and issuer field but is not marked as CA? It's a self signed certificate from MS Exchange server which is required for decryption. 

 

1 person had this problem.
0 Likes Likes
5 REPLIES 5

S.Cantwell
Cyber Elite
Cyber Elite

‎11-08-2022 06:10 AM

Good Day!

 

For decryption, it is needed both the public AND the private key. 

For a Windows server, I did a quick search and these seem like the correct steps:

 

https://community.tenable.com/s/article/Export-a-Windows-Certificate-with-the-Private-Key

 

Once you export the certificate with private key (probably PKCS#12), you can then import the certificate in its entirety.

Help the community: Like helpful comments and mark solutions
0 Likes Likes

santonic
L6 Presenter

‎11-08-2022 09:15 AM

Yes, I know I need private key for decryption. But this isn't the issue here.

 

The issue is how to import a certificate which has the same subject and issuer field but is not marked as CA? 

0 Likes Likes

santonic
L6 Presenter

‎11-10-2022 11:53 PM

So nobody ever tried nor succeeded in this? 

0 Likes Likes

S.Cantwell
Cyber Elite
Cyber Elite

‎11-11-2022 06:55 AM

Hello again.  You may certainly open a PANW TAC case to see what they suggest.  In my experience, I have not been successful in importing a self-signed cert. 

Help the community: Like helpful comments and mark solutions
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎11-11-2022 07:22 AM

Hi @santonic ,

 

That is a great question.  I assume you are doing Inbound SSL Decryption and the cert is for the inbound Exchange server.  I did not know the NGFW would not import self-signed certs that were not a CA.  Could you please let us know the resolution from TAC?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 5491 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks