- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-16-2024 11:42 AM
Hello,
After creating a external CA cert, the Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA are greyed out. So I can't select.
All options are available when a create a self-sign certificate.
Any idea?
Thanks
09-18-2024 07:20 AM
@KTarver wrote:
Hi Brandon and thanks for your reply.
I am having trouble following you.
Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard. That is on the decryption side (LAN ingress traffic).
But my issue is before getting to that point.
From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw. When I do this, 2 issue occur:
1- The csr remain "pending"
2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.
I am trying to understand why the 2 above is happening.
Thanks again Brandon
When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD. If it's not a wildcard certificate then it won't work. Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.
Your internal PKI has a "Root" and some "Intermediate" certificate authority servers. Those CAs need to be loaded to your FW. Those CAs need to be loaded in your client machine cert stores. You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate. When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot:
Root --> ICA (Intermediate CA) --> SSL Cert:
The specific steps to get this to work can be found here:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US
09-18-2024 12:45 PM
Hi Brandon,
Thanks for the information! That was very useful. I did what you said and created the wilcard in the CN of the CSR. That allow me to successfully import the cert created by the CA and the options are now available to select!
Thanks Brandon!
09-16-2024 12:07 PM
Sounds like you don't have the private key. When you say you created an external CA cert, do you mean you generated a self-signed CA on the firewall itself or you created the request to have the certificate created by an external CA (like an enterprise CA)?
09-17-2024 08:39 AM
@KTarver wrote:
Hello,
After creating a external CA cert, the Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA are greyed out. So I can't select.
All options are available when a create a self-sign certificate.
Any idea?
Thanks
If you're trying to do SSL Decryption for your internal systems you shouldn't be using an external certificate authority. You're ultimately going to need a wildcard certificate for everything on the Internet and no external CA is going to give you that.
You're going to either need to have an internal CA that is trusted by all your internal clients or you can create it from the firewall, but again you'd need to have the full firewall CA certs to include the wildcard cert as trusted for your internal clients. Otherwise the client browsers will throw errors about the interception process.
09-17-2024 10:07 AM
Hi Brandon and thanks for your reply.
I am having trouble following you.
Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard. That is on the decryption side (LAN ingress traffic).
But my issue is before getting to that point.
From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw. When I do this, 2 issue occur:
1- The csr remain "pending"
2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.
I am trying to understand why the 2 above is happening.
Thanks again Brandon
09-17-2024 10:10 AM
Hi BPry and thanks for your reply.
The later.
I created a csr via the fw --> processed it through the CA --> uploaded the new cert to the fw.
Part of the process when creating a csr, is the creation of the private and public key local to the device. This way the private key stay safe. So a private key exist.
Thanks again BPry!
09-18-2024 07:20 AM
@KTarver wrote:
Hi Brandon and thanks for your reply.
I am having trouble following you.
Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard. That is on the decryption side (LAN ingress traffic).
But my issue is before getting to that point.
From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw. When I do this, 2 issue occur:
1- The csr remain "pending"
2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.
I am trying to understand why the 2 above is happening.
Thanks again Brandon
When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD. If it's not a wildcard certificate then it won't work. Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.
Your internal PKI has a "Root" and some "Intermediate" certificate authority servers. Those CAs need to be loaded to your FW. Those CAs need to be loaded in your client machine cert stores. You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate. When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot:
Root --> ICA (Intermediate CA) --> SSL Cert:
The specific steps to get this to work can be found here:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US
09-18-2024 12:45 PM
Hi Brandon,
Thanks for the information! That was very useful. I did what you said and created the wilcard in the CN of the CSR. That allow me to successfully import the cert created by the CA and the options are now available to select!
Thanks Brandon!
09-18-2024 01:23 PM
Awesome, glad to help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!