Intermediate certs for SSL-VPN portal

Reply
Highlighted
L2 Linker

Intermediate certs for SSL-VPN portal

Hi!

I am using a DigiCert certificate for the SSL VPN portal and the management interface, and it all works well with most browsers. However the certification chain requires an intermediate CA to be trusted/sent as well, and I haven't managed to get that to work on the PAN-box.

It's not a big issue as most browsers seem to be able to resolve the chain by themselves, but for example Firefox on linux and the iPad are unable to verify the chain.

I have added the intermediate certificate required as a trusted CA but that didn't seem to help.

Any suggestions or tips are greately appreciated.

Thanks, Tom


Accepted Solutions
Highlighted
L3 Networker

SSL certificates were not included in the config XML file until 4.0.

Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.

View solution in original post


All Replies
Highlighted
L6 Presenter

What version of Firefox is running on the Linux and iPad devices?

Highlighted
L1 Bithead

Hi.

I have the same problem with Digi intermediate certificate.

Did you fine any solution to this problem ?

Thanks, Roger

Highlighted
L0 Member

I didn't notice either however I am having the same issue with my digicert certificates not being trusted on my iOS devices served up via either the Palo Alto or a set of Juniper SA's we have when connecting using safari or the Junos Pulse client. I believe this might be an iOS cert store issue.

Highlighted
L1 Bithead

Have you found a resolution to this issue? I am experiencing the same problem.

Highlighted
L4 Transporter

Hello,

Problem happens because PAN OS doesn't always import intermediate certificate (I don't know why). The fix is to edit the XML configuration file to add the intermediate certifcate, then upload back to your box and commit.

Many browsers don't complain about missing intermediate cert, because many of them embed widepsread vendors in additions of root CAs (which is a pure security mess of course).

Highlighted
L4 Transporter

Here is an extract from XML which is missing intermediate:

<entry name="Mgmt and Portal">       

<common-name>xxxxxxxxxxxxxxxxx</common-name>       

<ca>no</ca>        <expires>Sep 2 2014</expires>      

<expiry-epoch>1409649540</expiry-epoch>   

<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53

friendlyName: xxxxxxxxxx

subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ

BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N

JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT

......

-----END CERTIFICATE-----

</public-key>

The fix consist to insert intermediate certificate in addition of existing one inside <public-key> statement:

<entry name="Mgmt and Portal">      

<common-name>xxxxxxxxxxxxxxxxx</common-name>      

<ca>no</ca>        <expires>Sep 2 2014</expires>     

<expiry-epoch>1409649540</expiry-epoch>   

<public-key>Bag Attributes    localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53

friendlyName: xxxxxxxxxx

subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx

-----BEGIN CERTIFICATE-----

MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ

BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N

JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT

......

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----aEd5y3GY3i4aWL/LKXe70PBADPZjnDvnJ5e6QhK94uIQdBh9kC26vy89SYsO+XbGOjnZN0QvyvCia

U80x2DrJvbMgKego/ZHQ6B45YckeyZ97YtRd30TZI/eDfCtgtrPbm4RLCYjqPESfnx1xyQnbMyqQ7q

FzGetu6ouKSllYycKyErYJbAoVYpozGx59i0gYTVCJluKcx3POnozvw7ZPUzJMgBMRJdS3Va8WW

kLcHynh1rlcHwWPK022ouJFrMHEQ.........

-----END CERTIFICATE-----

</public-key>

Import back your XML file, commit and enjoy. Be aware that you will need to restart your appliance dataplane or even reboot, because PAN OS doesn't detect that there was a real change inside the public certificate chain (another bug ?), so it won't reload it during commit.

Highlighted
L1 Bithead

I do not see the XML inside my configuration file that you are referencing.  I'm on PAN-OS 3.1.9, are you running something else?  The Certificates are referenced in my configuration file in the Captive Portal and SSL-VPN sections, but the actual certificates are not in this file.

Highlighted
L4 Transporter

I am using 4.0+ software only. No idea where are stored certificates on 3.x but it looks like it shares same bug.

Highlighted
L3 Networker

SSL certificates were not included in the config XML file until 4.0.

Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!