How to remove DigiNotar CA SSL Root Authority

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to remove DigiNotar CA SSL Root Authority

L3 Networker

i do not find a hint how to remove any SSL Root Authority in my PAN. How can i announce me the trusted SSL Authorities? Is it possible to remove a single CA like "DigiNotar  Root CA".

mfg

Manfred

17 REPLIES 17

Not applicable

+1 !

L0 Member

Ditto...

L1 Bithead

I would like to know too!

Not applicable

I wouldn't expect the PAN to have a list of authorized certificate authorities on the device.

This should be updated by each browser and host O/S.

The PAN needs to know what certificates to trust and which not to trust in order to determine when to present the trust cert to a client or the untrust cert to the client for SSL decryption. The PAN device must have an untrust and a trust list on device to do this. 

Ah, learn something new every day.

They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.

@camkim:

please note this information included in the release notes for this emergency content update:

"In addition, for users of SSL decryption, the new release removes DigiNotar from the device's trusted CA list"

I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s).

Thanks,

Benjamin

My 2 cents is that PA should let us list & manage root CAs from GUI.

I advise all users to read the release notes for each release of content and PAN-OS so that you know what has been addressed by each update you apply to your device(s).

Thanks,

Benjamin

Hi Benjamin,

is it a secret, where to find the trusted certificate store on a palo alto system? Why don't you tell the customers simply the method to control the certificate store by themselves?

kindly regards

Manfred

They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.

Also other CAs are concerned apparently.

(german website) http://www.heise.de/open/meldung/DigiNotar-Hack-GlobalSign-stellt-vorerst-keine-Zertifikate-mehr-aus...

Hi,

You need to restart your dataplane after the content update before the change can take effect.

@Manfred:

The trusted certificate store on Palo Alto Networks devices is not currently configurable or viewable.

If you wish to see the features of the product modified to allow user configuration of the certificate store please talk to your sales team to submit a feature request on your behalf.

Thanks,

Benjamin

Should a dataplane restart be done after every content update or this update special because of the SSL cert issue?

@dread:

this content update is an exception. Most content updates do not require a restart of the dataplane or the device.

Thanks,

benjamin

  • 7614 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!