SSL CSR SAN Multiple Uses

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL CSR SAN Multiple Uses

L2 Linker

PA-5220, 8.0

 

I need to generate a CSR for a cert that will be used for multiple things - web gui admin, globalprotect vpn, etc. The instructions for how to gen the CSR with subject alternative names are not clear.

 

Should the common name be one of the uses e.g. vpn.mycompany.com or should the common name be *.mycompany.com with all host names listed as attributes e.g. vpn.mycompany.com, webgui.mycompany.com, etc.

 

5 REPLIES 5

L7 Applicator

i'm not sure what instructions you were following but it may be a mixture of wildcard/SAN cert..

 

 

CN=vpn.mycompany.com

 

certificate attributes

 

hostname=webgui.mycompamy.com

hostname=vpn2.mycompamy.com

hostname=anyfink.mycompamy.com

 

as per...      https://live.paloaltonetworks.com/t5/Management-Articles/Creating-Certificate-Subject-Alternate-Name...

 

8.0 documentation is where I got confused. See bolded text below. Why would a Host Name attribute match the Common Name?

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/certificate-management/obtain-certif...

 

9. (Optional) Add the Certificate Attributes to uniquely identify the firewall and the service that will use the certificate.

If you add a Host Name attribute, it is a best practice for it to match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.

I think what its trying to say that if your CN is fred.com and your portal address dns resloves to fred.com then adding joe.com to the SAN will cause a cert issue for GP.

 

so... your get request is for fred.com but the trusted cert will have a hostname of joe.com...

 

in their example you dont need to add a hostname attribute, the SAN of fred.com will be assumed.

 

so... for the case of a single host cert, if you are going to add hostname attribute (not actually required) then keep it the same as the CN.

 

the ref doc link you provided is not really for SAN certs.

 

 

 

 

 

 

 

 

Hmmm... just re-read my previous post and I obviously have no idea what I'm talking about...

 

i need to re-read the statement "9" note in that document.

 

below... from Palo...

 

If you add a Host Name attribute, it is a best practice for it to match the Common Name (this is mandatory for GlobalProtect). The host name populates the Subject Alternative Name field of the certificate.

 

perhaps someone else can decypher this....

 

I've got the web gui configured for now. Had to gen a new CSR and make sure to include SANs for web gui, etc. 

 

Next step is to configure GlobalProtect with the cert. 

  • 4326 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!