SSL Certificates from enterprise CA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Certificates from enterprise CA

L4 Transporter

I will admit, certificates are one of my bigest hates.. I just can't get on with them

 

Firstly we have a microsoft EnterPrise CA. Which I am not overly familiar with anyway ( But I have managed to get the web interface workig on it...)

 

Idealy what I would love is top be able to generate certificates on the firewall that are trusted by all clients...

 

But I can start small!

I have followed many BITTY guides to try and pice together some thing that works, but keep getting no good success.

 

Firstly I would like a certificate that works for the management login page! Tried many thing ( creating a sigingin request, importing the CA [i think] from Microsoft, trying SubordinateCA's ) But nothing works on the login page , and yes I am attaching the service profile in the device config..

 

Then I need to create decryption certificates, but that's the next step.

 

Loosing the will to live.

 

Rob

 

 

 

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

This is the article you will need to follow for the management interface certificate:

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSxCAK

 

For the SSL decryption, you'll need a Subordinate CA certificate so it can generate certs on the fly.

 

https://live.paloaltonetworks.com/t5/Blogs/Generating-Certificates-from-CSR-for-Decryption/ba-p/1710...

 

Regards,

Yes followed those a million times over and could not get a certificate that was trusted by Chrome (Don't use IE as the Palo interface causes it to SWALLOW memory)....

 

After a bit more digging, looking at the chrome error "ERR_CERT_COMMON_NAME_INVALID" this is actually a bit of a poor eroor message. Chrome aparently looks at the cert for a SAN, supposedly..

 

During the PA certificate generation there is no option to populate the SAN attribute.

 

So, when generating this through the web interface on the Internal CA, you can manualy add the attribute.

fwcert.jpg

 

After importing that cert and deleting all my unsuccessful previous attemtps from the CA...

 

suck.jpg

 

Cheers

 

Rob

 

 

So,

 

I have no idea how I got this to work yesterday, I did some further work and removed the workign certificate then could not get it to work again????

 

On inspecting the certificates that were being generated I could see there was no SAN entries??? But no errors were generated.


I tried on the CLI of the CA server, and got the same, certificates were generated with no errors but no SAN 😞

I tried on the CLI of the CA server, but using our old CA to generate the cert, certificates were generated with no errors but and SAN was listed.

 

Bit of furhter researcha nd discovered that you can enable/disable SAN on certificates..

 

There are policies for certificate creation and one is ( EDITF_ATTRIBUTESUBJECTALTNAME2 ) for SAN.

 

It's a registry key but, we can also do this

 

To view the policy we use...

 

certutil -getreg policy\EditFlags

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\cumberland-PROD-MSAPP01-CA-1\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags:

  EditFlags REG_DWORD = 11014e (1114446)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -getreg command completed successfully.

 

 

And to update the policy

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

 

 

Old Value:
  EditFlags REG_DWORD = 11014e (1114446)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)

New Value:
  EditFlags REG_DWORD = 15014e (1376590)
    EDITF_REQUESTEXTENSIONLIST -- 2
    EDITF_DISABLEEXTENSIONLIST -- 4
    EDITF_ADDOLDKEYUSAGE -- 8
    EDITF_BASICCONSTRAINTSCRITICAL -- 40 (64)
    EDITF_ENABLEAKIKEYID -- 100 (256)
    EDITF_ENABLEDEFAULTSMIME -- 10000 (65536)
    EDITF_ATTRIBUTESUBJECTALTNAME2 -- 40000 (262144)
    EDITF_ENABLECHASECLIENTDC -- 100000 (1048576)
CertUtil: -setreg command completed successfully.
The CertSvc service may need to be restarted for changes to take effect.

 

 

 

 

After restarting CERT Service, SAN creation now works.

 

I can now create a certificate with SAN names for all our firewalls and that will be accepted by Chrome.

 

 


Rob

 

 

Hello,

Nice writeup!

 

Cheers!

  • 7938 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!