SSL Decryption - Enterprise CA

cafowler · ‎02-01-2017

Hi Everyone,

Recently a decision was made to implement SSL Decryption for outbound inspection. We work within a Microsoft PKI environment and are experiencing issues in signing the CSR generated by the firewall. I create the CSR based on the "how to implement and test ssl decryption" document I found via the Live Community (https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption... So, the CSR is designated as a CA and set to Signed by External Authority (CSR). Unfortunately, each time I receive the certificate, the Forward Trust Certificate is greyed out. We've tried both - CA box checked and CA box unchecked, the result is the same. We did find that our SubCA's were under constraints and cannot sign, so we used the Root to perform the signing but the result is the same.

Just wondering if anyone has a suggestion or if we need to review and follow the workaround I found here: https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Implement-Certificates-Issued-from-M....

thank you,

Carter

sullivanpj2 · ‎02-01-2017

I don't believe you will have to generate a CSR for this. You can either do a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure). Steps 1-4 are all done within the Microsoft Certificate Server while steps 5-6 are when you import the certificate into the firewall. Try generating a cert from within your environment and import that generated certificate into the firewall.

Generating and Importing a Certificate from Microsoft Certificate Server

On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert.
After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12).
To extract the certificate, use this openSSL[4] command:
openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys
To extract the key, use this openSSL command:
openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts
Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen.
In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.

- Peter

View solution in original post

sullivanpj2 · ‎02-01-2017

I don't believe you will have to generate a CSR for this. You can either do a self-signed CA on the firewall or import a Subordinate CA (from your own PKI infrastructure). Steps 1-4 are all done within the Microsoft Certificate Server while steps 5-6 are when you import the certificate into the firewall. Try generating a cert from within your environment and import that generated certificate into the firewall.

Generating and Importing a Certificate from Microsoft Certificate Server

On the Microsoft Certificate Server for your organization, request an advanced certificate using certificate template “subordinate CA”. Download the cert.
After downloading, export the certificate from the local certificate store. In IE, access the Internet Options dialog, select the Content tab, then click the Certificates button. The new certificate can be exported from the Personal certificates store. Select “Certificate Export Wizard”, export the private key, then select the format. Enter a passphrase and a file name and location for the resulting file. The certificate will be in a PFX format (PKCS #12).
To extract the certificate, use this openSSL[4] command:
openssl pkcs12 –in pfxfilename.pfx –out cert.pem –nokeys
To extract the key, use this openSSL command:
openssl pkcs12 –in pfxfilename.pfx –out keyfile.pem -nocerts
Import the cert.pem file and keyfile.pem file into the Palo Alto Networks firewall on the Device tab > Certificates screen.
In the case of a High Availability (HA) Pair, also load these files into the second Palo Alto Networks firewall, or copy the certificate and key via the High Availability widget on the dashboard.

- Peter

cafowler · ‎02-09-2017

Thank you for the repsonse Peter, greatly appreciated. What we ended up doing is what you suggested in your first paragraph, we asked for a certificate to be issued which is a Subordinate CA. Problem solved. When I suggested the article "How to Implement Certificates Issued from Microsoft Certificate Services" it was met with hesitation, so haivng a certificate created which is a Subordinate worked out nicely.

Cheers,

Carter

kchopra01 · ‎05-03-2018

Hi Peter, Just going through your solution . So , If I want to use internal PKI infra , then there is no need to generate CSR on firewall ?

What do I tell my customer like , to directly provide me the CA certificate ? I mean they dont need my CSR ? Because when I am providing CSR and importing certificate , then that forward trust option is greyed out ...

Raido_Rattameister · ‎05-04-2018

You have many options.

- Generate CA cert on firewall and push it to domain member computers with Group policy

- Import existing CA into firewall and use this

- Use Subordinate CA signed by existing internal CA

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Unlock your full community experience!

SSL Decryption - Enterprise CA

SSL Decryption - Enterprise CA

Show your appreciation!