I have installed an SSL certificate on my firewall it is working fine for all of our Palo Alto devices except one device as it is showing it is not secure.
I checked and I found that the device is still using the localhost generated certificate. I don’t know how to force it to use the SSL Certificate I installed.
Note that I set up the SSL/TLS Service Profile and chosen the proper certificate from the list of Certificates. Which is the only certificate available?
Solved! Go to Solution.
More to the point, workflow could be:
It is possible to perform it a bit quicker, but longer way is simpler.
Verify that Commit was successful on the device in question. If it was - reboot and recheck.
Open Support Case if issue persists.
Remember that WebUI certificates are not synchronized in a HA pair.
I have reinstalled a certificate that was working fine with my firewall, but suddenly I lost access to the GUI of the firewall.
I tried what is mentioned here in the link below with no luck.
I need to install webui certificate for both the palo alto , CSR will be signed by internal CA.
Do i need to create CSR from each firewall ? like i can generate from Primary firewall or from both ?
Should i incude FQDN of each firewall as the common name while generate CSR ?
I can see the certificate are synchronising each other, but TLS profile not ?
@OtakarKlier thanks for the quick reply.
so What should i include in Common name while generating CSR ?
Once i uploaded the signed certificate and root CA to the firewall , I need to create ssl/tls profile in both the Palo alto firewall right ?
Then i will add this profile in general setting in both the firewall ?
Correct me if am wrong ?
Just the name of the certificate. Its either going to be a self signed CA or a subordinate CA cert.
Ensuring the Proper Certificate Authority on the Firewall and Exporting the CA to Clients
Loading or generating a CA certificate on the Palo Alto Networks firewall is needed, because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Either create a self-signed CA on the firewall or import a subordinate CA from your own PKI infrastructure. Select Forward Trust Certificate and Forward Untrust Certificate on one or more certificates to enable the firewall to decrypt traffic. Because SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.
@OtakarKlier thanks for the response .
I am asking for the WebUI certificate , which will be signed by our internal CA (Microsoft CA )
we are not using the public signed certificate.
For Webui, one Certificate is enough for both Palo alto ?
certificate is synronising between the Active/Passive HA , however SSL/Tls profile not ?
i need to create seperate SSL/TLS profile for both the PA ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!