Placing valid Panorama management SSL certificate using internal CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Placing valid Panorama management SSL certificate using internal CA

Not applicable

Using Panorama 6.0.0

Followed the work instruction here:

How to Generate a CSR and Import the Signed CA Certificate

I create the certificate signing request populating all required parameters

I am using Venafi for certificate management.

Venafi enforces a certificate policy so all my certificates have correct parameters when they are issued.

It includes some parameters that differ from the parameters in the CSR.

Unless the parameters match exactly the certificate does not import correctly. There is no way to make them explicitly match up when you attempt to add a Subject Alternate Name field (for use with DNS aliases and/or NAT'ed management interfaces, for example).

I am left with the choice to violate certificate policy, or to not have internally signed certificates on Panorama.

The Panorama host CSR generation tool does not accept the signed certificate if any parameters are different.

Will there be a way to associate the CSR to an imported certificate?

Will there be a way to add freeform x509 attributes to the CSR?

I got this working, and Panorama validated the CSR using the imported-but-non-compliant-certificate.

I committed and saved the configuration, however the certificate still displays as self-signed to a new browser session when managing the target device.

Is a reboot or other poke of Panorama required?

0 REPLIES 0
  • 2040 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!