"Only self signed CA cert can have identical sub and issuer fields" when uploading a certificate

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Cyber Elite

 

Correction

Typo Cert which is automatically generated from XML file is not used in Authentication profile and SSL/TLS profile

MP
Highlighted
L2 Linker

No worries.

 

Think you need it for response and assertion to work correctly. Therefore, You'll need to ensure the CA flag is set. 

 

I'm not 100% sure if that's how your supposed certs for this as neither Palo Alto nor Azure actually tell you how to do the certs correctly.

 

 

Highlighted
Cyber Elite

Yes we need that cert for response and assertion to work correctly.

I have no CA checked for these certs under the certificates.

Seems there are many ways to make the SAML work with VPN.

MP
Highlighted
L2 Linker

Ok, so it seems lots of people would have this problem since self signed certs for SAML Identity providers are probably best practice.    (We started with a CA signed cert but then after doing certificate rollover with 40+ service providers a year and a half later decided this was insane.)

 

Palo Alto support tells me to either use a CA cert or generate a new cert in PaloAlto. Either way would force me into the certificate rollover process with all my service providers)   Did anyone ever figure out a trick or workaround for this?   This thread is not auspicious.

 

 

 

 

Highlighted
L2 Linker

You tried the workaround I mentioned ?

Highlighted
L2 Linker

Thanks for replying, I really appreciate it.   As to the workaround, maybe I am dense, but I dumped out the xml and reviewed the <certificate> block.     Each existing certificate is present and I can see how to change the the <ca></ca> flag, but since I can't import the certificate I need, it is not in this section.   I thought I could just manually add the needed certificate to this section since I have the PEM encoded public key for the certificate, and I can pull most of the fields from the cert, but I was stumped by the subject and issuer hash tags, since I am not aware of what hashing algorithm they are using. (See below for an example CA entry.)

 

I admit, I must be missing something obvious, can you guide me in the error of my ways?

 

Thanks,

John

 

 

<entry name="DigiCertCA">
<subject-hash>58754cf2</subject-hash>
<issuer-hash>81b9768f</issuer-hash>
<not-valid-before>Oct 22 12:00:00 2013 GMT</not-valid-before>
<issuer>/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA</issuer>
<not-valid-after>Oct 22 12:00:00 2028 GMT</not-valid-after>
<common-name>DigiCert SHA2 High Assurance Server CA</common-name>
<algorithm>RSA</algorithm>
<expiry-epoch>1855828800</expiry-epoch>
<ca>yes</ca>
<subject>/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA</subject>

<public-key>-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
</public-key>
</entry>

Highlighted
L2 Linker

Is that the actual certificate ?

 

It's a root CA so it's going to have the CA flag already set.

 

Nehmaan_0-1585740439151.png

 

Export candidate-config:

 

Nehmaan_0-1585740779723.png

 

 

 

Highlighted
L2 Linker

No, sorry if this was not clear.   As I noted, this is just an example certificate from an existing CA taken from the XML config export.   Since I can't import the certificate I need to add through the GUI, it is not in the export to tweak.   

 

I included the example section to illustrate the fields you would need to have to manually create a certificate entry and import the config.   I think I could put correct values in for most of them but am stumped by what hashing algorithm PaloAlto is using to generate the 

<subject-hash>58754cf2</subject-hash>
<issuer-hash>81b9768f</issuer-hash>

 

Thanks!

 

But maybe I don't need to go down this path.    Do you know of another way?

 

 

Highlighted
L2 Linker

Nothing to do with Palo, Here you go mate.

 

Nehmaan_0-1585746581829.png

 

Nehmaan_1-1585746613492.png

 

 

Highlighted
L2 Linker

Easy enough, will give it a try.  Should have Googled it or gone to openssl rather than relying on Window's lame SSL cert tools.  Thanks a million

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!