Is it possible to use wildcard certificate as forward trust certificate?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it possible to use wildcard certificate as forward trust certificate?

L1 Bithead

I have a wildcard certificate that already works for global protect portal and gateway.

cert-palo.png

I would like to make this trusted certificate to be used for SSL decryption (forward-proxy mode) but I can't make any of those certificate to be Forward Trust Certificate because the checkbox is greyed out.

Screenshot_45.jpg

So, is it possible to use wildcard certificate as forward trust certificate? if yes, how to do that?

Thanks in advance

 

1 accepted solution

Accepted Solutions

You can not user the wildcard certificate nor the other ones for forward trust.

ACE8, PCNSE,PCNSC
PSE Platform Professional
PSE Endpoint Professional

View solution in original post

6 REPLIES 6

L2 Linker

Hey,

 

It needs to be a certificate of the type CA, then you should be able to use it as a forward trust certificate.

 

kr,

Tommy

ACE8, PCNSE,PCNSC
PSE Platform Professional
PSE Endpoint Professional

@tommyschoemans 

I couldn't quite understand what do you mean by type CA (I'm not really familiar with certificates). Is there any info that I not included in question that I should provide to determine whether is it possible or not using my current certificate as forward trust certificate?
In case you mean that it is possible with my certificate to set it as forward trust certificate, how could I do that? because as I state in the question, I can't set it because it is greyed out and I don't know the reason why is it greyed out.

The reason for it being greyed out is because the certificate is not a CA one ( CA column not checked ). A CA or intermediate CA can sign certificates. Your wildcard certificate is signed by Cert Comodo Int1 and this is signed by cert Comodo Int2, etc...

 

In order to do SSL inspection you need to have a certificate that can sign certificates on behalf of the intercepted webiste to present to the end-users. So you just need to create yourself a root or intermediate CA ( preferably ) to use as a forward trtust certificate. Easiest is if you have a Microsoft AD you can use the MS PKI and create one here. The certificate will already be trusted by your AD members. Otherwise just use openSSL and have the CA certificate imported in the windows certificate store and if using Firefox certificate store.

 

kr,

 

Tommy

ACE8, PCNSE,PCNSC
PSE Platform Professional
PSE Endpoint Professional

@tommyschoemans 

I see, please confirm this, so I can't use my current certificates (Cert COMODO Root, COMODO Int1, COMODO Int2 or wildcard which is signed by COMODO) to use as forward trust certificate, right?

I will close my questions (accept solutions) once this confirmed.
Thanks.

You can not user the wildcard certificate nor the other ones for forward trust.

ACE8, PCNSE,PCNSC
PSE Platform Professional
PSE Endpoint Professional

Hi Team,

Can I use wild card Certificate for Decryption Policy.

  • 1 accepted solution
  • 6968 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!