This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

ssl decryption and temp cert management

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

ssl decryption and temp cert management

Alex_Samad
L4 Transporter

‎09-03-2018 07:18 PM

Hi

 

I ran into an issue with the decryption cert being provide by my PA it had expired.

 

it was 30 days in. I believe this is an issue with the date time comparision and timezones as it has fixed itself today.

 

How do i find / look at these temp certs via the cli

how can i delete / renew or purge them from the cli 

 

 

 

A

0 Likes Likes
5 REPLIES 5

Remo
L7 Applicator

‎09-04-2018 01:53 PM - edited ‎09-04-2018 02:01 PM

Renew:

request certificate renew certificate-name <value> days-till-expiry <1-7300>

Revoke:

request certificate revoke certificate-name <value>

Show:

configure
show shared certificate-profile <name>

Show the expiration dates of all certs on the firewall:

set cli config-output-format set
configure
show shared certificate | match not-valid-after

 

In the CLI you can use this command to find other commands:

find command keyword <value>

 

0 Likes Likes

Alex_Samad
L4 Transporter
In response to Remo

‎09-13-2018 06:17 PM - edited ‎09-13-2018 06:17 PM

These are not the certs created by the ssl proxy 

 

 

Should add my Support Engineer basically said you can't see them.

 

0 Likes Likes

Remo
L7 Applicator
In response to Alex_Samad

‎09-14-2018 12:39 AM

@Alex_Samad

Ups ... I (completely) misunderstood something here 😛

... in this case the possible commands you can find here: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-View-SSL-Decryption-Information-f...

With this command you can show at least some of the information that you asked for:

show system setting ssl-decrypt certificate-cache

 

And yes, a certificate managment isn't really possible with these dynamically created certs.

0 Likes Likes

Remo
L7 Applicator
In response to Remo

‎09-14-2018 12:41 AM

Or also always a good start to find TLS decryption informations: https://live.paloaltonetworks.com/t5/Management-Articles/SSL-decryption-resource-list/ta-p/70397

0 Likes Likes

Alex_Samad
L4 Transporter
In response to Remo

‎09-14-2018 12:50 AM

thats strange

I do this

show system setting ssl-decrypt certificate-cache | match flynumber

 

 

I know flynumber is in there , but this comes back with nothing 

 

 

0 Likes Likes
  • 2756 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks