This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Newbie: Local (wildcard?) certificate(s)

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Newbie: Local (wildcard?) certificate(s)

LCMember4427
L3 Networker

‎01-11-2019 09:40 AM - edited ‎01-11-2019 01:31 PM

I'm running a VM-100 with several zones where I have MS AD / WSUS in one, two zones with lots of wireless device management, another zone for vmware management etc.

 

Every day I run into web browsers yelling about unsecure acces to local device management due to lack of trusted certificates.  I know I can just continue to create and import local certs to keep the noise low, but I wanted to ask here if there is a possibility to purchase a cert from a trusted provider and that this cert can be used to 'certify' all of my local zones / subnets including local MS WSUS servers, Work Folders etc...

 

I've been told that this must be a wildcard cert, but I'd be grateful if you can enlighten me of my options and point me in the right direction(s). 

0 Likes Likes
2 REPLIES 2

LCMember4427
L3 Networker

‎01-12-2019 06:58 AM

bump

 

Not possible or silly question...?

0 Likes Likes

Remo
L7 Applicator
In response to LCMember4427

‎01-12-2019 12:18 PM

If you only need the certs for internal purposes you don't have to buy a public wildcard cert. This can be done with an internal PKI (Public Key Infrastructure). And if you have / want an internal PKI you could also create the certs on your PaloAlto firewall. Fist you need to generate a Root CA Cert where you enable the CA checkbox, after that I would recomment to generate an intermediate CA cert where you also enable the CA checkbox and choose the option that this intermediate CA cert will be signed by the previously generated root CA cert. After that you are ready to generate your wildcard cert which should be signed by your intermediate CA cert. 

Your generated root cert you have to export (only the public key) and import this one to your client(s) to avoid cert warnings in the browser (and to make it even more secure, export the root CA cert (this time with the private key) and store it on an usb flash drive or another computer which is offline (not attackable over the network). Be careful that you do not loose this root CA key).

 

Hope this helps.

 

Regards,

Remo

0 Likes Likes
  • 2042 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks