Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Newbie: Local (wildcard?) certificate(s)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Newbie: Local (wildcard?) certificate(s)

L3 Networker

I'm running a VM-100 with several zones where I have MS AD / WSUS in one, two zones with lots of wireless device management, another zone for vmware management etc.

 

Every day I run into web browsers yelling about unsecure acces to local device management due to lack of trusted certificates.  I know I can just continue to create and import local certs to keep the noise low, but I wanted to ask here if there is a possibility to purchase a cert from a trusted provider and that this cert can be used to 'certify' all of my local zones / subnets including local MS WSUS servers, Work Folders etc...

 

I've been told that this must be a wildcard cert, but I'd be grateful if you can enlighten me of my options and point me in the right direction(s). 

2 REPLIES 2

L3 Networker

bump

 

Not possible or silly question...?

If you only need the certs for internal purposes you don't have to buy a public wildcard cert. This can be done with an internal PKI (Public Key Infrastructure). And if you have / want an internal PKI you could also create the certs on your PaloAlto firewall. Fist you need to generate a Root CA Cert where you enable the CA checkbox, after that I would recomment to generate an intermediate CA cert where you also enable the CA checkbox and choose the option that this intermediate CA cert will be signed by the previously generated root CA cert. After that you are ready to generate your wildcard cert which should be signed by your intermediate CA cert. 

Your generated root cert you have to export (only the public key) and import this one to your client(s) to avoid cert warnings in the browser (and to make it even more secure, export the root CA cert (this time with the private key) and store it on an usb flash drive or another computer which is offline (not attackable over the network). Be careful that you do not loose this root CA key).

 

Hope this helps.

 

Regards,

Remo

  • 2043 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!