How to remove DigiNotar CA SSL Root Authority

Reply
mhuels
L3 Networker

They realeased update 265 to alert on certs with the DigiNotar Root Authority, but its not clear if that removes from the device as well or if a different update is required for the device.

Also other CAs are concerned apparently.

(german website) http://www.heise.de/open/meldung/DigiNotar-Hack-GlobalSign-stellt-vorerst-keine-Zertifikate-mehr-aus...

jleung
L4 Transporter

Hi,

You need to restart your dataplane after the content update before the change can take effect.

bpappas
L6 Presenter

@Manfred:

The trusted certificate store on Palo Alto Networks devices is not currently configurable or viewable.

If you wish to see the features of the product modified to allow user configuration of the certificate store please talk to your sales team to submit a feature request on your behalf.

Thanks,

Benjamin

dread
Not applicable

Should a dataplane restart be done after every content update or this update special because of the SSL cert issue?

bpappas
L6 Presenter

@dread:

this content update is an exception. Most content updates do not require a restart of the dataplane or the device.

Thanks,

benjamin

mhuels
L3 Networker

Hi Benjamin,

since restarting our firewall (running 3.1.10), we see, for example by surfing on https://balie.culemborg.nl/, a "drop-all-packets" in the threat log. But in fact, the firewall does not drop the traffic nor shows any error or warning in the decrypted certificate. So we have the bizarre situation having error hints in browsers without PA firewall (as all browsers have removed the diginotar CA), but no warnings in browsers which are secured by a PA firewall (because all browsers accepts the PA certificate, which is used to re-encrypt the SSL traffic).

regards

Manfred

bpappas
L6 Presenter

@mhuels:

Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?

-Benjamin

mhuels
L3 Networker

bpappas schrieb:

@mhuels:

Have you configured the CRL/OCSP options on the Device tab -> Server CRL / OCSP Settings screen?

-Benjamin

Hi Benjamin,

up to now, we did not have configured anything in the CRL/OCSP tab. Since 5 minutes, we have enabled the checking of revocation lists via CRL and OCSP. Testing on https://188.203.119.3, the firewall blocks the ssl traffic (the browsers shows a timeout). Although it would be nicer not to drop but to bring out a security warning or an invalid certificate, this behaviour is tolerable for us. There are not so much diginotar certificates anymore ...

Thanks for your hint.

Manfred

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!