09-05-2011 04:06 AM
09-07-2011 03:29 PM
I wouldn't expect the PAN to have a list of authorized certificate authorities on the device.
This should be updated by each browser and host O/S.
09-07-2011 03:32 PM
The PAN needs to know what certificates to trust and which not to trust in order to determine when to present the trust cert to a client or the untrust cert to the client for SSL decryption. The PAN device must have an untrust and a trust list on device to do this.
09-07-2011 07:20 PM
Ah, learn something new every day.
They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.
09-07-2011 07:25 PM
@camkim:
please note this information included in the release notes for this emergency content update:
"In addition, for users of SSL decryption, the new release removes DigiNotar from the device's trusted CA list"
I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s).
Thanks,
Benjamin
09-08-2011 01:36 AM
My 2 cents is that PA should let us list & manage root CAs from GUI.
09-08-2011 03:11 AM
I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s).
Thanks,
Benjamin
Hi Benjamin,
is it a secret, where to find the trusted certificate store on a palo alto system? Why don't you tell the customers simply the method to control the certificate store by themselves?
kindly regards
Manfred
09-08-2011 03:18 AM
They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.
Also other CAs are concerned apparently.
(german website) http://www.heise.de/open/meldung/DigiNotar-Hack-GlobalSign-stellt-vorerst-keine-Zertifikate-mehr-aus...
09-08-2011 08:37 AM
Hi,
You need to restart your dataplane after the content update before the change can take effect.
09-08-2011 02:01 PM
@Manfred:
The trusted certificate store on Palo Alto Networks devices is not currently configurable or viewable.
If you wish to see the features of the product modified to allow user configuration of the certificate store please talk to your sales team to submit a feature request on your behalf.
Thanks,
Benjamin
09-08-2011 04:01 PM
Should a dataplane restart be done after every content update or this update special because of the SSL cert issue?
09-08-2011 04:03 PM
@dread:
this content update is an exception. Most content updates do not require a restart of the dataplane or the device.
Thanks,
benjamin
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
