"Only self signed CA cert can have identical sub and issuer fields" when uploading a certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

"Only self signed CA cert can have identical sub and issuer fields" when uploading a certificate

L0 Member

This message appears when uploading an external CA certificate to the sistem. "Only self signed CA certificates can have identical subject and issuer fields". It's a Microsoft-adfs autosigned CA certificate used to sign SAML messages and we can't not change that, you know if there's any way to upload this certificate to the system in order we can use it? thanks! 

32 REPLIES 32

L0 Member

Having this same issue. Anyone help with this?

L0 Member

Snap same issue, did anyone resolve this?

Had same issue but managed to work around this. 

 

1) Export XML config. 

2) Set the CA flag.

3) Re-Import XML config. 

 

🙂

If you are configuring Microsoft SAML  for  MFA then you just need to 

 

1>Export the XML file under SAML IDentity provider.

This will automatically create the certificate for you.

 

2>You do not need to check the CA under the certificates.

MP

Help the community: Like helpful comments and mark solutions.

Have you tried it yourself ?

 

There is no "export" option under "SAML Identity Provider". I think you meant "Import". Even if you "Import" the XML from Azure, It doesn't set the CA flag. 

 

You still get an error on commit as well. Only way around it that I've worked out is what I mentioned previously. 

Sorry i Mean Import the XML file to PA

Yes i tried in my environment and it works.

Also you do not want the CA Flag to check.

 

MP

Help the community: Like helpful comments and mark solutions.

How have you defined your certificates under authentication profile ?

 

I have used a wildcard cert to sign SAML messages to IDP and the Azure Cert selected under "Certificate Profile". 

 

The only way to select the Azure Cert for "Certificate Profile" is to ensure it has the CA flag set. 

 

I can confirm that SAML response and assertion work.

Yes the Certificate which is created automatically is defined under Authentication Profile and also under SSL/TLS profile.

Are you using Azure SAML for MFA or Global protect VPN?

 

 

MP

Help the community: Like helpful comments and mark solutions.

How did you define it within the authentication profile, certificate profile and SSL/TLS Service Profile ?

 

You can only select certs which have the CA flag set under "Certificate Profiles" which is then referenced within the "authentication profile". 

 

For the "SSL/TLS service profile" the same applies but I've used a signed wildcard cert instead and imported the chain under "Certificates" to complete the trust. 

 

Using SAML for Global Protect VPN. 

 

Correction

Typo Cert which is automatically generated from XML file is not used in Authentication profile and SSL/TLS profile

MP

Help the community: Like helpful comments and mark solutions.

No worries. 🙂

 

Think you need it for response and assertion to work correctly. Therefore, You'll need to ensure the CA flag is set. 

 

I'm not 100% sure if that's how your supposed certs for this as neither Palo Alto nor Azure actually tell you how to do the certs correctly. 😞

 

 

Yes we need that cert for response and assertion to work correctly.

I have no CA checked for these certs under the certificates.

Seems there are many ways to make the SAML work with VPN.

MP

Help the community: Like helpful comments and mark solutions.

L2 Linker

Ok, so it seems lots of people would have this problem since self signed certs for SAML Identity providers are probably best practice.    (We started with a CA signed cert but then after doing certificate rollover with 40+ service providers a year and a half later decided this was insane.)

 

Palo Alto support tells me to either use a CA cert or generate a new cert in PaloAlto. Either way would force me into the certificate rollover process with all my service providers)   Did anyone ever figure out a trick or workaround for this?   This thread is not auspicious.

 

 

 

 

You tried the workaround I mentioned ?

  • 36636 Views
  • 32 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!