Need assistance with Certs and Firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Need assistance with Certs and Firewall

L4 Transporter

I has been years since I have done anything with Microsoft CA so I am really struggling. 

 

Here is the problem:

 

When enabling URL filtering and I am blocking a certain site that has HTTP and HTTPS, the HTTP page will present the block page, but the HTTPS does not. 

 

I am not doing any SSL Decrypt, I want to in the future but that is requiring certs too. Need to work one thing at a time.

 

So here is the article I am trying to follow:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Serve-a-URL-Response-Page-Over-an...

 

 A certificate to be used for Forward Trust on the Palo Alto Networks device. where it is one of the following:

  • A self-signed/self-generated certificate with which the box for "Certificate Authority" has been checked 
    Note: if using a self-signed/sef-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors
  • An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA.

 

The first option requires me to give my self signed cert to the Systems team and have deploy it out via GP to all clients, that could take a while. So I want the second option. My environment doesnt have an intermediate CA, just a Root CA, so I should be able to import that since all clients already have this cert. 

 

What I can find is how to get the root CA cert on the palo alto. Do I need to do a CSR, I am unsure how to get the root cert with cert and key. I can export it out of my local domain machine, but there is not a key so its useless. So when working with Palo Alto in a MS CA enviroment are there more in depth articles on to perform some of these tasks?

 

5 REPLIES 5

L4 Transporter

Update -

 

I have figured out how to get a sub ca cert in my PA, with some help of Microsoft articles on how to create a template and then generate a CSR within the PA. So for a test I assinged that cert to my WEB GUI authentication to test. When accessing the firewall within Microsoft IE it works flawlessly, no cert errors on HTTPS. Chrome and firefox not so much, obvioulsy when its a MS PKI its going to work just fine in IE, but how do I get this to work within Chrome and Firefox? I cannot go around to all user browsers and install this cert, its not realistic. 

Decrypt is in place, but keep getting this error in the browser:

 

NET::ERR_CERT_WEAK_SIGNATURE_ALGORITHM

 

So if I just type "google.com" it redirects it to https and thats the error I get, I cannot not continue. So looking into the error:

 

Certificate error
There are issues with the site's certificate chain (net::ERR_CERT_WEAK_SIGNATURE_ALGORITHM).
 
SHA-1 certificate
The certificate chain for this site contains a certificate signed using SHA-1.
 
So it would appear that while my Palo Alto cert is SHA256 hash algorithm, my Root CA is SHA1 😞
 
And from what I can read SHA1 is not supported with chrome, and I assume most modern browsers. So I assume then when the traffic is being Proxied via the firewall cert and it starts to verify the chain and sees SHA1 it breaks.
 
ANy work arounds to this?
 

Hi @s.williams1

 

Are you sure that your CA cert is a SHA256 cert on the firewall? Or did you sign your CA cert with an intermediate CA instead of the root? 

Chrome should not complain about SHA1 as root cert (at least not now). Chrome only gives you this error when there is a SHA1 CA which is not the root.

 

Regards,

Remo

My environment doesnt have an intermediate CA. 

 

I followed this article here:

https://digitalscepter.com/blog/entry/ssl-decryption-implementation

 

I went to my CA server, copied the "subordinate CA template" and renamed it to something with Palo Alto in it. Deployed the template to the CA. 

 

Took the CSR from the generated cert on the palo alto and pasted it into the web enrollment part of the CA and selected the template, downloaded that CA and imported into the Firewall. It is valid. 

 

What am I missing? 

  • 3106 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!