01-07-2011 06:26 AM
Hi!
I am using a DigiCert certificate for the SSL VPN portal and the management interface, and it all works well with most browsers. However the certification chain requires an intermediate CA to be trusted/sent as well, and I haven't managed to get that to work on the PAN-box.
It's not a big issue as most browsers seem to be able to resolve the chain by themselves, but for example Firefox on linux and the iPad are unable to verify the chain.
I have added the intermediate certificate required as a trusted CA but that didn't seem to help.
Any suggestions or tips are greately appreciated.
Thanks, Tom
04-30-2012 07:10 AM
SSL certificates were not included in the config XML file until 4.0.
Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.
01-18-2011 03:18 PM
What version of Firefox is running on the Linux and iPad devices?
05-09-2011 12:13 PM
Hi.
I have the same problem with Digi intermediate certificate.
Did you fine any solution to this problem ?
Thanks, Roger
05-10-2011 06:46 AM
I didn't notice either however I am having the same issue with my digicert certificates not being trusted on my iOS devices served up via either the Palo Alto or a set of Juniper SA's we have when connecting using safari or the Junos Pulse client. I believe this might be an iOS cert store issue.
12-06-2011 06:50 PM
Have you found a resolution to this issue? I am experiencing the same problem.
12-07-2011 04:05 AM
Hello,
Problem happens because PAN OS doesn't always import intermediate certificate (I don't know why). The fix is to edit the XML configuration file to add the intermediate certifcate, then upload back to your box and commit.
Many browsers don't complain about missing intermediate cert, because many of them embed widepsread vendors in additions of root CAs (which is a pure security mess of course).
12-07-2011 04:18 AM
Here is an extract from XML which is missing intermediate:
<entry name="Mgmt and Portal">
<common-name>xxxxxxxxxxxxxxxxx</common-name>
<ca>no</ca> <expires>Sep 2 2014</expires>
<expiry-epoch>1409649540</expiry-epoch>
<public-key>Bag Attributes localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53
friendlyName: xxxxxxxxxx
subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ
BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N
JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT
......
-----END CERTIFICATE-----
</public-key>
The fix consist to insert intermediate certificate in addition of existing one inside <public-key> statement:
<entry name="Mgmt and Portal">
<common-name>xxxxxxxxxxxxxxxxx</common-name>
<ca>no</ca> <expires>Sep 2 2014</expires>
<expiry-epoch>1409649540</expiry-epoch>
<public-key>Bag Attributes localKeyID: E7 87 5F A3 C3 D0 95 2E DF E3 D6 3C A6 F6 41 F8 30 D8 E2 53
friendlyName: xxxxxxxxxx
subject=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
issuer=xxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----BEGIN CERTIFICATE-----
MIIFlTCCA32gAwIBAgIEeFaJjDANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCRlIxEjAQ
BgNVBAgTCVZpbmNlbm5lczESMBAGA1UEBxMJVmluY2VubmVzMRAwDgYDVQQKEwdFU1N
JTE9SMRQwEgYDVQQLEwtNSVMgTmV0d29yazEhMB8GA1UEAxMYRVNT
......
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----aEd5y3GY3i4aWL/LKXe70PBADPZjnDvnJ5e6QhK94uIQdBh9kC26vy89SYsO+XbGOjnZN0QvyvCia
U80x2DrJvbMgKego/ZHQ6B45YckeyZ97YtRd30TZI/eDfCtgtrPbm4RLCYjqPESfnx1xyQnbMyqQ7q
FzGetu6ouKSllYycKyErYJbAoVYpozGx59i0gYTVCJluKcx3POnozvw7ZPUzJMgBMRJdS3Va8WW
kLcHynh1rlcHwWPK022ouJFrMHEQ.........
-----END CERTIFICATE-----
</public-key>
Import back your XML file, commit and enjoy. Be aware that you will need to restart your appliance dataplane or even reboot, because PAN OS doesn't detect that there was a real change inside the public certificate chain (another bug ?), so it won't reload it during commit.
12-07-2011 09:06 AM
I do not see the XML inside my configuration file that you are referencing. I'm on PAN-OS 3.1.9, are you running something else? The Certificates are referenced in my configuration file in the Captive Portal and SSL-VPN sections, but the actual certificates are not in this file.
12-07-2011 09:10 AM
I am using 4.0+ software only. No idea where are stored certificates on 3.x but it looks like it shares same bug.
04-30-2012 07:10 AM
SSL certificates were not included in the config XML file until 4.0.
Also, instead of rebooting the device or the dataplane, when importing the same certificate that you already imported, just give it a new name, then change your SSLVPN or captive portal config to use this new certificate.
05-22-2013 01:23 PM
Thank you, essnet! Nothing else worked for me, but manually appending the intermediate cert to the primary in XML did the trick!
I also had to reboot the devices for the change to take effect. I would've thought after 1.5 years that would be fixed.
Thanks again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
