SSL Certificates CA Verisign

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL Certificates CA Verisign

L1 Bithead

Hello,

we have import the CA Certificate from Verisign and want to activate the Antivirus function (policies).

But only the

"Trusted Root CA"

is available in the "Certificate Information"

the option "Forward Trust Certificate" is gray and not available.

But that the function what we need.

We will check upload traffic to the servers  in the trust lan of the paloalto

System: PaloAlto 500 v5.0.6

Anyone knows this problem.

Info: when we make a self signed CA we can choose the option "Trusted Root CA".

15 REPLIES 15

L4 Transporter

Hi

Please read last reply by Gwesson  from Re: Decryption certificate

and follow this doc https://live.paloaltonetworks.com/docs/DOC-1412

I hope that will explain You enought.

Regards

Slawek

L6 Presenter

Hi Netmaster,

Decryption can be done only by self signed Root CA or Sub-ordinate CA. The reason is this certificate signs, another certificate for the traffic.

Lets say you generate a.crt self signed certificate on the firewall. Now traffic comes for bankofamerica.com on firewall. Now a.cert will sign a certificate for bankofamerica.com and forwards it to user.

Only self signed cert and subordinate cert has this capability to sign another certificate.

As long as I know verisign will not provide you subordinate certificate. Let me know if it helps.

Regards,

Hardik Shah

L1 Bithead

Hi,

thanks for the two answers, thats help to understand how it works in the firewall.

Now we have make a self signed Root CA and a decrypt like this doc:

https://live.paloaltonetworks.com/docs/DOC-1412

but it doesnt work. We want to make Inbound SSL decryption!

The traffic were not decrypted, we don´t see a decrypt flag in the logs of the packets (policies).

And when we make a openssl question from outside to the server we see the ssl cert from the server and not self signed from the firewall.

Config:

shared {

    ssl-decrypt {

      ssl-exclude-cert;

      trusted-root-CA [ int_test_com int_test];

      forward-trust-certificate int_test_com;

      forward-untrust-certificate int_test_com;

    }

      int_test_com {

        subject-hash fc08871a;

        issuer-hash fc08871a;

        not-valid-before "Aug 27 14:16:26 2014 GMT";

        issuer "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";

        not-valid-after "Aug 27 14:16:26 2015 GMT";

        common-name int.test.com;

        expiry-epoch 1440684986;

        ca yes;

        subject "/C=DE/ST=Bayern/L=Ismaning/O=test AG/CN=int.test.com";

        public-key "-----BEGIN CERTIFICATE-----

.....

decryption {

              rules {

                int_test_antivirus {

                  category any;

                  type {

                    ssl-inbound-inspection int_test_com;

                  }

                  from untrust;

                  to trust;

                  source any;

                  destination any;

                  source-user any;

                  negate-source no;

                  negate-destination no;

                  action decrypt;

from untrust;

                  to trust;

                  source any;

                  destination int_test_com;

                  source-user any;

                  category any;

                  application [ ssl web-browsing];

                  service [ service-http service-https];

                  hip-profiles any;

                  action allow;

                  log-start yes;

                  log-end yes;

                  negate-source no;

                  negate-destination no;

Hi Netmaster,

In Inbound Decryption, you get original certificate of the server, its different than outbound decryption. So, you always get server cert, its expected behavior.

Configuration looks good, can I get same configuration in GUI format.

1. Provide certificat in GUI

2. Provide Decryption policy in GUI

3. Provide Traffic log in GUI, which says its not decrypted.

Regards,

Hardik Shah

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!