Using Panorama 6.0.0
Followed the work instruction here:
I create the certificate signing request populating all required parameters
I am using Venafi for certificate management.
Venafi enforces a certificate policy so all my certificates have correct parameters when they are issued.
It includes some parameters that differ from the parameters in the CSR.
Unless the parameters match exactly the certificate does not import correctly. There is no way to make them explicitly match up when you attempt to add a Subject Alternate Name field (for use with DNS aliases and/or NAT'ed management interfaces, for example).
I am left with the choice to violate certificate policy, or to not have internally signed certificates on Panorama.
The Panorama host CSR generation tool does not accept the signed certificate if any parameters are different.
Will there be a way to associate the CSR to an imported certificate?
Will there be a way to add freeform x509 attributes to the CSR?
I got this working, and Panorama validated the CSR using the imported-but-non-compliant-certificate.
I committed and saved the configuration, however the certificate still displays as self-signed to a new browser session when managing the target device.
Is a reboot or other poke of Panorama required?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!