03-22-2018 06:37 AM
Hello Community,
I was wondering how in a "larger scale" environement (140+ branche offices) people are generally managing their certificates?
How do you guys manage all those certificates? Within a year, you would have to at best renew 280 certificates manually... Are you generating them on longer terms? Is this just a yearly "job" that has to be done?
Thanks for your kind input.
03-22-2018 09:44 AM
With that many certificcates to manage, look into third-party Certificate management software, they will typically interface with AD CS and some third party external providers to track certificate expiry and send e-mail alerts as certificates near expiry.
The last one I dealt with (unfortunately I have forgotten it's name) coudl also use API calls to renew certificates with AD and from there I would think it would not be too difficult to use API calls to push them into panorama or directly to firewalls.
Regarding the volume of certificates... While each firewall should have a unique certificate for their HTTP interface, why not use the same certificate for SSL decrypt on all firewalls? that would nearly halve the number of certificates to manage...
03-22-2018 08:19 AM
Hello,
That can be a daunting task for sure. What we try to do is internal certificates are generated with the highest level of encryption possible and we generate then for 2+ years depending on their function. External certs are only renewed for 1 year since external service can change but we still go for the highest level of encryption the provier can give us.
Hope that helps.
03-22-2018 09:10 AM
Thanks Otakar.Klier for the answer.
For internal certificates, I was thinking of using our AD CS PKI to generate 5 year Sub CA certificates (Default template) for each firewall... and then create 2 other 5 year certificates for GUI and SSL Decryption.
Pretty simple, but after 5 years, I'll have to manually renew all those certificates for 140+ templates in Panorama... So I was just hoping for other solutions 🙂
03-22-2018 09:12 AM
Yeah sorry I dont have a better answer. Maybe reach out to your SE and put in a suggestion for Panorama to somehow manage this and hopefully in less than 5 years there will be a solution?
Just a thought.
03-22-2018 09:44 AM
With that many certificcates to manage, look into third-party Certificate management software, they will typically interface with AD CS and some third party external providers to track certificate expiry and send e-mail alerts as certificates near expiry.
The last one I dealt with (unfortunately I have forgotten it's name) coudl also use API calls to renew certificates with AD and from there I would think it would not be too difficult to use API calls to push them into panorama or directly to firewalls.
Regarding the volume of certificates... While each firewall should have a unique certificate for their HTTP interface, why not use the same certificate for SSL decrypt on all firewalls? that would nearly halve the number of certificates to manage...
03-22-2018 09:47 AM
I looked it up, the product I used previously was from Venafi - It made tracking easy for management, as well as delegation for engineers and self-service for system administrators
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
