This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

The SSL Certificate is showing unsecure in one device

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

The SSL Certificate is showing unsecure in one device

Go to solution
Mohammed_Yasin
L4 Transporter

‎07-04-2020 11:18 PM

I have installed an SSL certificate on my firewall it is working fine for all of our Palo Alto devices except one device as it is showing it is not secure.

I checked and I found that the device is still using the localhost generated certificate. I don’t know how to force it to use the SSL Certificate I installed.

Note that I set up the SSL/TLS Service Profile and chosen the proper certificate from the list of Certificates. Which is the only certificate available?

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
ACieszkowski
L3 Networker
In response to Mohammed_Yasin

‎07-13-2020 02:17 AM

Hi @Mohammed_Yasin,

 

At this point I will suggesting getting in touch with TAC.

View solution in original post

0 Likes Likes

Go to solution
ACieszkowski
L3 Networker
In response to Jal_963

‎07-21-2020 01:33 AM

@Jal_963,

 

In principle:

  • you can generate CSRs from the Active Node in HA, Passive Node in HA, or from both - does not matter because they are synced, just have to time and queue the Commits right;
  • you can generate CSRs using external tool, I like working with XCA (https://hohnstaedt.de/xca/), and import them into PA after signing;
  • you can specify Common Name and Subject Alternative Name to whatever you want, however using the hostname/FQDN makes most sense most of the time as those correspond to the WebUI URL; best practice is to have both Common Name and Subject Alternative Name with equal values;
  • you possibly could use one certificate for WebUI of both HA nodes, however it would require some trickery;
  • Certificates and SSL/TLS Service Profiles are synced in HA as long as they are not used for WebUI.

More to the point, workflow could be:

  • Login into Active Node;
  • prepare two CSRs with CN/SAN corresponding to the WebUI URLs on Active Node;
  • import signed by external CA certificates into Active Node;
  • Commit on Active Node;
  • create two SSL/TLS Service Profiles, one for each certificate;
  • use one of the SSL/TLS Service Profiles as WebUI SSL/TLS Service Profile on Active Node;
  • Commit on Active Node;
  • Login into Passive Node;
  • use one of the SSL/TLS Service Profiles as WebUI SSL/TLS Service Profile on Passive Node;
  • Commit on Passive Node;

It is possible to perform it a bit quicker, but longer way is simpler.

View solution in original post

0 Likes Likes
13 REPLIES 13

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎07-06-2020 01:50 PM

Hello,

I would say follow the proper setup steps, you could have missed a step.

 

Regards,

0 Likes Likes

Go to solution
ACieszkowski
L3 Networker

‎07-07-2020 08:02 AM

Hi @Mohammed_Yasin,

 

Verify that Commit was successful on the device in question. If it was - reboot and recheck.

Open Support Case if issue persists.

 

Remember that WebUI certificates are not synchronized in a HA pair. 

0 Likes Likes

Go to solution
Mohammed_Yasin
L4 Transporter
In response to ACieszkowski

‎07-12-2020 12:20 AM

I have reinstalled a certificate that was working fine with my firewall, but suddenly I lost access to the GUI of the firewall.

I tried what is mentioned here in the link below with no luck.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cli0CAC

0 Likes Likes

Go to solution
ACieszkowski
L3 Networker
In response to Mohammed_Yasin

‎07-13-2020 02:17 AM

Hi @Mohammed_Yasin,

 

At this point I will suggesting getting in touch with TAC.

0 Likes Likes

Go to solution
Jal_963
L0 Member

‎07-20-2020 10:51 AM

Dear ,

I need to install webui certificate for both the palo alto , CSR will be signed by internal CA.

 

Do i need to create CSR from each firewall ? like i can generate from Primary firewall or from both ?

Should i incude FQDN of each firewall as the common name while generate CSR ?

I can see the certificate are synchronising each other, but TLS profile not ?

 

 

Please assist me @OtakarKlier  @ACieszkowski 

 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to Jal_963

‎07-20-2020 11:16 AM

Just the one should do. Dont need the firewall names since the certificate is just being used between the PAN and the client. 

0 Likes Likes

Go to solution
Jal_963
L0 Member
In response to OtakarKlier

‎07-20-2020 11:20 AM

@OtakarKlier  thanks for the quick reply.

 

so What should i include in Common name while generating CSR ?

 

Once i uploaded the signed certificate and root CA to the firewall , I need to create ssl/tls profile in both the Palo alto firewall right ?

Then i will add this profile in  general setting in both the firewall ?

 

Correct me if am wrong ?

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to Jal_963

‎07-20-2020 11:27 AM

Just the name of the certificate. Its either going to be a self signed CA or a subordinate CA cert.

 


Ensuring the Proper Certificate Authority on the Firewall and Exporting the CA to Clients

Loading or generating a CA certificate on the Palo Alto Networks firewall is needed, because a Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on the fly. Either create a self-signed CA on the firewall or import a subordinate CA from your own PKI infrastructure. Select Forward Trust Certificate and Forward Untrust Certificate on one or more certificates to enable the firewall to decrypt traffic. Because SSL Certificate providers like Entrust, Verisign, Digicert, and GoDaddy do not sell CAs, they are not supported in SSL Decryption.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

 

Cheers!

0 Likes Likes

Go to solution
Jal_963
L0 Member
In response to OtakarKlier

‎07-20-2020 11:35 AM

@OtakarKlier thanks for the response .

 

I am asking for the WebUI certificate , which will be signed by our internal CA (Microsoft CA )

we are not using the public signed certificate.

 

 

For Webui, one Certificate is enough for both Palo alto ? 

certificate is synronising between the Active/Passive HA , however SSL/Tls profile not ?

i need to create seperate SSL/TLS profile for both the PA ?

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to Jal_963

‎07-20-2020 11:37 AM

Sorry, my bad. You will need one cert per device.

0 Likes Likes

Go to solution
Jal_963
L0 Member
In response to OtakarKlier

‎07-20-2020 11:46 AM

@OtakarKlier yea , but while generating CSR what should i added in Common name ? 

 

should i generate CSR from both the Firewall or i can generate two CSR from Primary Firwewall added different Common name ?

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to Jal_963

‎07-20-2020 11:47 AM

csr for each...

0 Likes Likes

Go to solution
ACieszkowski
L3 Networker
In response to Jal_963

‎07-21-2020 01:33 AM

@Jal_963,

 

In principle:

  • you can generate CSRs from the Active Node in HA, Passive Node in HA, or from both - does not matter because they are synced, just have to time and queue the Commits right;
  • you can generate CSRs using external tool, I like working with XCA (https://hohnstaedt.de/xca/), and import them into PA after signing;
  • you can specify Common Name and Subject Alternative Name to whatever you want, however using the hostname/FQDN makes most sense most of the time as those correspond to the WebUI URL; best practice is to have both Common Name and Subject Alternative Name with equal values;
  • you possibly could use one certificate for WebUI of both HA nodes, however it would require some trickery;
  • Certificates and SSL/TLS Service Profiles are synced in HA as long as they are not used for WebUI.

More to the point, workflow could be:

  • Login into Active Node;
  • prepare two CSRs with CN/SAN corresponding to the WebUI URLs on Active Node;
  • import signed by external CA certificates into Active Node;
  • Commit on Active Node;
  • create two SSL/TLS Service Profiles, one for each certificate;
  • use one of the SSL/TLS Service Profiles as WebUI SSL/TLS Service Profile on Active Node;
  • Commit on Active Node;
  • Login into Passive Node;
  • use one of the SSL/TLS Service Profiles as WebUI SSL/TLS Service Profile on Passive Node;
  • Commit on Passive Node;

It is possible to perform it a bit quicker, but longer way is simpler.

0 Likes Likes
  • 2 accepted solutions
  • 10159 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks