Setup SSL Inbound Inspection with 3rd party certs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Setup SSL Inbound Inspection with 3rd party certs

L4 Transporter

Greetings!

I have a SharePoint server in a DMZ and would like to setup SSL Inbound Inspection. Is it possible to set this up if I am using third party (GoDaddy) certs? I tried exporting the cert from IIS and uploading to PA; it allows me to select in the inbound decryption policy but it is NOT decrypting the traffic.

1 accepted solution

Accepted Solutions

L4 Transporter

So I put this off for a few days and just came back to it. I realized that going to the GP portal yielded a green URL bar so it chained correctly. Then I went to the device and noticed it no longer had the cert chain errors upon commit and was decrypting the SharePoint traffic correctly. My only guess is that once the cert information is changed, maybe it takes the PAN a bit to make those changes?

View solution in original post

13 REPLIES 13

L4 Transporter

Ok, it should work.... So... when you look in the logs, what are you seeing?  Web-browsing on 443, just ssl being identified, etc.

Can you give me the process of how you exported and imported the cert file?

What format was the cert in?  .DER format, .PEM format, etc.  Did you do anything with the private key (that was provided by the IIS server).

Let us know, and we can try to help you out.

Thanks!

The logs are showing everything as just SSL; I checked the detailed information to make sure decrypted was not checked for those sessions. So nothing is being decrypted.

As far as the cert, I exported the cert from the IIS server into pfx format and entered a password to do so. I imported into the PA and entered the same password. The cert has the private key box checked.

Hmmm,

I think the import may need to be in PEM format only (based on 4.1 Student Guide)

Key block needs to be encrypted with a passphase and chain of trust needs to be imported also.

I would try to see if this could be a solution.

Thanks for the reply.

Two things:

1. I think the PAN may have imported it correctly as I was able to switch the web gui to using this cert (I have 4 SANs on the cert, one of them meant for the web gui of the PAN). I tested afterwards and my browser gets a green connection to it. This would imply that the PAN correctly has the public and private key, correct?

2. I have NOT imported the intermediate cert from GoDaddy. It comes in a p7b extension and the PAN cannot import this natively How would I convert it?

I think you may have imported a cert, however I still believe in following the student training documentation (which specifically states PEM format)

As for the command... use SSL Converter and it will do it for you.

If you want to be 100% certain, the best thing is to speak with the technical support group and get it from the experts.

Let the community know what you found to be the resolution.

Enjoy!!

Thanks for the info.

I went ahead and converted the intermed. cert and end cert to PEM and uploaded to the firewall. I am however now getting an error when I commit that it cannot complete the certificate chain for that certificate. I checked the PAN's Trusted Root CA section and GoDaddy IS listed. Ideas?

Hmmm, it seems that the FW does not have the complete certificate of trust chain from IIS up to the GoDaddy.

Can you confirm on your Device Certificate tab, that your imported IIS certificate has the usage type of Forward Untrust Certificate AND Forward Trust Certificate?

How did you import your certificate chain? I understand the IIS cert was converted and imported, I just am curious your steps that you took to import the certificate chain.

Please advise.

I found a doc on the PA website, which may help. It is somewhat outdated (from 2009), but the process should still be the same.

That is actually the document I followed to get the correct cert from IIS. GoDaddy provides two certs, the end cert and the intermed. cert. I uploaded the end cert from IIS and the Intermed cert. In the Cert. panel of the PAN UI, it correctly shows the end cert nested under the Intermed. cert.

I do NOT have the forward trust/untrust boxes checked because this is not for outgoing decryption. This is for inbound inspection.

This may be related but I cannot get the GlobalProtect portal working correctly with the cert either. I changed the GP Portal to use the GD cert I designated for it and commited it. When visiting the site, it still does not show green for HTTPS and when I click to view the cert, it shows "localhost" as the cert name even though I changed it to the GD cert under GlobalProtect Portal.

Well, I know for GP that your GP Portal needs to be setup as for issuing certs and there is a command called

set shared certificate <cert file name> ca.

I think that I have extinguished as much as I can do, all seems to be setup/imported correctly.

I think now is a good time to contact tech support and let them have a stab at it...

Could be there is just a step or 2 that we are missing...

Let me know....

I have tried contacting support but my client I guess paid for their support through ComputerLinks. PAN said that because of this, I have to go through ComputerLinks for support. ComputerLinks has been less than ideal. Thanks for your guidance thus far though!

L4 Transporter

So I put this off for a few days and just came back to it. I realized that going to the GP portal yielded a green URL bar so it chained correctly. Then I went to the device and noticed it no longer had the cert chain errors upon commit and was decrypting the SharePoint traffic correctly. My only guess is that once the cert information is changed, maybe it takes the PAN a bit to make those changes?

  • 1 accepted solution
  • 8151 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!