SSL forward trust option

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SSL forward trust option

L4 Transporter

Hi,

 

We have a certificate generated by RapidSSL as CA. but we can NOT set this certificate as a forward trust certificate to use in Decyption SSL, the option shows disable. Roots is in the list "default trsuted certificate authorities".

 

Why the option is disbled???

 

1.JPG

1 accepted solution

Accepted Solutions


@JW6224 wrote:

 

To do what you want to do, you can generate a self-signed certificate that is a Certificate Authority, and mark it as your Forward Trust certificate.  Or you can generate a CSR (Certificate Signing Request) for a Certificate Authority, and have an internal CA sign that request.  Once you import the signed certificate, it will be valid for marking as a Forward Trust certificate.

 

If you have an Internal CA, it is likely to be trusted by your clients and is the better choice.  If you do not have an internal CA, the CA certificate generated by the firewall is probably the faster option, but you still need to make sure it is trusted as a Trusted Root CA certificate by all of your clients.

 

I hope this helps!


@BigPalo- this was from my earlier post and addresses the two options you have.

View solution in original post

9 REPLIES 9

L7 Applicator

Because it is only a servercertificate and not a CA certificate

We want to do this:

 

  • (Recommended Best Practice) Enterprise CA-signed Certificates—An enterprise CA can issue a signing certificate that the firewall can use to sign the certificates for sites which require SSL decryption. When the firewall trusts the CA that signed the certificate of the destination server, the firewall can send a copy of the destination server certificate to the client, signed by the enterprise CA. This is a best practice because usually all network devices already trust the Enterprise CA (it is usually already installed in the devices’ CA Trust storage), so you don’t need to deploy the certificate on the endpoints, so the rollout process is smoother.

SSL-decrypt with a certificate signed by RAPIDSSL. Any procedure for that. We only see the procedure generating CA in Palo Alto.

Hi @BigPalo

 

You can either generate a CA cert on your firewall or use a cert sygned/generated by an enterprise CA, but you will not get a CA cert from any of the public trusted certificate authorities.

To do SSL Proxy Decryption, you must have a Forward Trust certificate.  To mark a certificate as a Forward Trust certificate, it must have an attribute that marks it as a Certificate Authority.  Commercial Certificate Authorities, such as RapidSSL, do not typically sign CA certs for customers - because this will allow a customer to issue certificates under their trust chain, which could be for anything (e.g. you could issue a certificate for live.paloaltonetworks.com that you generate yourself, and anyone that trusts RapidSSL will trust your certificate as valid.)  They would rather A.) that you not issue certificates signed by them, and B.) pay money for any certificates that you use that are signed by them.  It's kind of their entire business model.

 

To do what you want to do, you can generate a self-signed certificate that is a Certificate Authority, and mark it as your Forward Trust certificate.  Or you can generate a CSR (Certificate Signing Request) for a Certificate Authority, and have an internal CA sign that request.  Once you import the signed certificate, it will be valid for marking as a Forward Trust certificate.

 

If you have an Internal CA, it is likely to be trusted by your clients and is the better choice.  If you do not have an internal CA, the CA certificate generated by the firewall is probably the faster option, but you still need to make sure it is trusted as a Trusted Root CA certificate by all of your clients.

 

I hope this helps!

We have this certificate, signed by RapidSSL. But we can not use it for SSL decrypt. I think it has all requisites.2.jpg

 

 

As mentionned by @JW6224, to use a certigicate as ssl forward trust cert it needs to have the CA flag set ... your cert does not have this flag set (as you can see in the CA column kn your screenshot/cert list)

I hear you...I doubt that it's a CA cert, but I believe you have the certificate.  I just think it's the wrong type of certificate.

Let's look at it.  Here are the certificates for live.paloaltonetworks.com.

PAChain.png

 

 This is Palo Alto's wildcard certificate, signed by DigiCert.  So let's look at the CA Certificate, and then inspect the Basic Constraints:

DigiCertSHA2SecureServerCA.png

 

 

Notice that the Subject Type is listed as a CA.  This certificate can be used to sign other certificates as part of their Public Key Infrastructure.  Compare that to the actual certificate used by the website:

 

paloaltonetworkscom.png

 

 This certificate is for an End Entity.  It can't sign other certificates.  It is good to identify/authenticate anything that matches the subject name, which is a wildcard for anything on the paloaltonetworks.com domain.  But it can't be marked as a Forward Trust certificate.

 

If you export your public certificate (the one you're trying to use as a Forward Trust) and inspect it, which does it look like?  Does it identify as a CA?

 

 

 

 

SO how customer can create CA certificate company in order to import in PA?


@JW6224 wrote:

 

To do what you want to do, you can generate a self-signed certificate that is a Certificate Authority, and mark it as your Forward Trust certificate.  Or you can generate a CSR (Certificate Signing Request) for a Certificate Authority, and have an internal CA sign that request.  Once you import the signed certificate, it will be valid for marking as a Forward Trust certificate.

 

If you have an Internal CA, it is likely to be trusted by your clients and is the better choice.  If you do not have an internal CA, the CA certificate generated by the firewall is probably the faster option, but you still need to make sure it is trusted as a Trusted Root CA certificate by all of your clients.

 

I hope this helps!


@BigPalo- this was from my earlier post and addresses the two options you have.

  • 1 accepted solution
  • 6185 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!