Newbie: Local (wildcard?) certificate(s)

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
L3 Networker

Newbie: Local (wildcard?) certificate(s)

I'm running a VM-100 with several zones where I have MS AD / WSUS in one, two zones with lots of wireless device management, another zone for vmware management etc.

 

Every day I run into web browsers yelling about unsecure acces to local device management due to lack of trusted certificates.  I know I can just continue to create and import local certs to keep the noise low, but I wanted to ask here if there is a possibility to purchase a cert from a trusted provider and that this cert can be used to 'certify' all of my local zones / subnets including local MS WSUS servers, Work Folders etc...

 

I've been told that this must be a wildcard cert, but I'd be grateful if you can enlighten me of my options and point me in the right direction(s). 

Highlighted
L3 Networker

bump

 

Not possible or silly question...?

Highlighted
Cyber Elite

If you only need the certs for internal purposes you don't have to buy a public wildcard cert. This can be done with an internal PKI (Public Key Infrastructure). And if you have / want an internal PKI you could also create the certs on your PaloAlto firewall. Fist you need to generate a Root CA Cert where you enable the CA checkbox, after that I would recomment to generate an intermediate CA cert where you also enable the CA checkbox and choose the option that this intermediate CA cert will be signed by the previously generated root CA cert. After that you are ready to generate your wildcard cert which should be signed by your intermediate CA cert. 

Your generated root cert you have to export (only the public key) and import this one to your client(s) to avoid cert warnings in the browser (and to make it even more secure, export the root CA cert (this time with the private key) and store it on an usb flash drive or another computer which is offline (not attackable over the network). Be careful that you do not loose this root CA key).

 

Hope this helps.

 

Regards,

Remo

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!