"Only self signed CA cert can have identical sub and issuer fields" when uploading a certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

"Only self signed CA cert can have identical sub and issuer fields" when uploading a certificate

L0 Member

This message appears when uploading an external CA certificate to the sistem. "Only self signed CA certificates can have identical subject and issuer fields". It's a Microsoft-adfs autosigned CA certificate used to sign SAML messages and we can't not change that, you know if there's any way to upload this certificate to the system in order we can use it? thanks! 

34 REPLIES 34

L6 Presenter

If you are talking about setting up Azure SAML, it seems the XML is the only way. I went thru this last month and it is kind of confusing... It seems that under "correct" SAML you should get 1) a root CA certificate for SAML infrastructure, 2) a public certificate signed by the CA for the Azure SAML gateway, and 3) a private/public signed cert for the PaloAlto. That way you can verify traffic and sign messages in both directions.

 

However, it seems Azure only supplies you with a single self-signed public certificate for the SAML gateway. The default PaloAlto config has "Validate Identity Provider Certificate" enabled, but that doesn't work unless you have a signing root CA and sub certificates. Likewise, Azure doesn't have a cert from the PA, so it can't validate that either. Instead, all traffic happens over the HTTPS connection from PA to Azure signed by the self-signed certificate.

 

There is are two small note about this in the KB articles, but it is easy to miss:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U48CAE

Step 2 of the PA setup:

Option: Uncheck validate Identity Provider certificate. If checked, Certificate from Azure is needs to be uploaded on firewall as well.

 

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-saml-authenticati...

Step 2.5 of the SAML Authentication KB:

If your IdP signing certificate is a self-signed certificate, there is no chain of trust; as a result, you cannot enable this option. The firewall always validates the signature of the SAML Responses or Assertions against the Identity Provider certificate that you configure whether or not you enable the Validate Identity Provider Certificate option. If your IdP provides a self-signed certificate, ensure that you are using PAN-OS 9.1.3 or a later 9.1 version to mitigate exposure to CVE-2020-2021.

 

So you end up with a Device->Server Profiles->SAML Identity Provider configuration that has "Validate Identity Provider Certificate" disabled and an Device->Authentication Profile configuration that has "Certificate for Signing Requests" and "Certificate Profile" set to None

Thanks for the help.  Support did point me to this article which worked.  As you said, also needed to uncheck the Validate IdP Cert box in the SAML config.  It is for Azure MFA when using Global Protect.  Thanks again!

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNrkCAG

L0 Member

Tried the steps below but unable to use the certificate in the Server profile for the Identity Provider Certificate.

 

1) Export XML config. 

2) Set the CA flag.

3) Re-Import XML config. 

 

L0 Member

Hello Everyone!

 

I know its an old post, but I'm sure people are still running into issues (like myself)

Can someone from PA put together a KB article with the correct process to accomplish this?

L0 Member

I ran into the same issue.

I had to use the Federation Metadata XML from Azure and import that through the Authentication Profile.

Create a new auth profile, Choose Type SAML the IdP Server Profile the import. This will load the cert, which allows you to switch your existing SAML setup to using it. Then you can delete the Auth profile you used to load the cert. 

Stewartt_0-1718806755519.png

 

  • 40743 Views
  • 34 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!