10-14-2017 12:54 PM
I has been years since I have done anything with Microsoft CA so I am really struggling.
Here is the problem:
When enabling URL filtering and I am blocking a certain site that has HTTP and HTTPS, the HTTP page will present the block page, but the HTTPS does not.
I am not doing any SSL Decrypt, I want to in the future but that is requiring certs too. Need to work one thing at a time.
So here is the article I am trying to follow:
A certificate to be used for Forward Trust on the Palo Alto Networks device. where it is one of the following:
The first option requires me to give my self signed cert to the Systems team and have deploy it out via GP to all clients, that could take a while. So I want the second option. My environment doesnt have an intermediate CA, just a Root CA, so I should be able to import that since all clients already have this cert.
What I can find is how to get the root CA cert on the palo alto. Do I need to do a CSR, I am unsure how to get the root cert with cert and key. I can export it out of my local domain machine, but there is not a key so its useless. So when working with Palo Alto in a MS CA enviroment are there more in depth articles on to perform some of these tasks?
10-14-2017 07:18 PM
Update -
I have figured out how to get a sub ca cert in my PA, with some help of Microsoft articles on how to create a template and then generate a CSR within the PA. So for a test I assinged that cert to my WEB GUI authentication to test. When accessing the firewall within Microsoft IE it works flawlessly, no cert errors on HTTPS. Chrome and firefox not so much, obvioulsy when its a MS PKI its going to work just fine in IE, but how do I get this to work within Chrome and Firefox? I cannot go around to all user browsers and install this cert, its not realistic.
10-14-2017 08:09 PM
Decrypt is in place, but keep getting this error in the browser:
NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM
So if I just type "google.com" it redirects it to https and thats the error I get, I cannot not continue. So looking into the error:
10-15-2017 05:17 AM
Hi @s.williams1
Are you sure that your CA cert is a SHA256 cert on the firewall? Or did you sign your CA cert with an intermediate CA instead of the root?
Chrome should not complain about SHA1 as root cert (at least not now). Chrome only gives you this error when there is a SHA1 CA which is not the root.
Regards,
Remo
10-15-2017 06:55 AM
My environment doesnt have an intermediate CA.
I followed this article here:
https://digitalscepter.com/blog/entry/ssl-decryption-implementation
I went to my CA server, copied the "subordinate CA template" and renamed it to something with Palo Alto in it. Deployed the template to the CA.
Took the CSR from the generated cert on the palo alto and pasted it into the web enrollment part of the CA and selected the template, downloaded that CA and imported into the Firewall. It is valid.
What am I missing?
10-15-2017 05:42 PM
This article was much more helpful.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
