Wildcard certificate on PA firewalls

Reply
Highlighted

Wildcard certificate on PA firewalls

Hi Team,

 

I'm trying to create a CSR in Panorama in order to get a wildcard certificate from our third party CA.

 

In order platforms, I define as common name the format *.mydomain.com but in Palo Alto I'm getting an error: Failed to generate certificate and key.

 

When I change the common name to .mydomain.com it allows me to create the CSR.

 

I just wanted to touch base with you guys in order to know about your experience working with wildcards on Palo Alto Plattform.

 

Any response will be very appreciated.

 

Thank you,

Tags (1)

Accepted Solutions
Highlighted
L7 Applicator

Re: Wildcard certificate on PA firewalls

It would help to know Panorama version as @vsys_remo mentioned.

 

In my case Panorama 8.1.4

Works like a charm.

 

wildcard1.PNGwildcard2.PNGwildcard3.PNG

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Wildcard certificate on PA firewalls

Are you choosing Signed by External Authority (CSR)?

Try to change Certificate Name to something else but leave Common Name to *.mydomain.com

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
Cyber Elite

Re: Wildcard certificate on PA firewalls

Yup, just tested it as described by @Raido and it successfully generated a CSR for a wildcard cert.

 

(Remember to add *.mydomaim.com also as "hostname" when you generate the CSR)

Highlighted

Re: Wildcard certificate on PA firewalls

Thanks for your feedback Raido,

 

Yes Sir, I'm choosing Signed by External Authority (CSR) and I'm still getting the same error. The error clears out when I change the Common name to .mydomain.com (removing the *).

 

For the Certificate Name I'm adding wildcard-mydomain-com.

 

Other thing I forgot to mention was that I'm choosing Algorithm Elliptic Curve DSA.

 

Thanks,

Highlighted

Re: Wildcard certificate on PA firewalls

Thanks vsys,

 

I just tested that and got error: "request -> certificate -> generate -> hostname '*.mydomain.com' is invalid"

 

Could you test it for an Elliptic Curve DSA cert?

 

Thanks,

Highlighted
Cyber Elite

Re: Wildcard certificate on PA firewalls

What PAN-OS version do you have installed and are you logged in with a user that has "superuser" privileges?

Highlighted
L7 Applicator

Re: Wildcard certificate on PA firewalls

It would help to know Panorama version as @vsys_remo mentioned.

 

In my case Panorama 8.1.4

Works like a charm.

 

wildcard1.PNGwildcard2.PNGwildcard3.PNG

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post

Highlighted
L3 Networker

Re: Wildcard certificate on PA firewalls

Works fine on PAN OS 7.1.16 too. Defined *.mydomain.com in both CN and hostname feilds with superuser account and it was generated successfully. So was the commit too.

 

pic1.PNG

 

pic2.PNG

Highlighted
Cyber Elite

Re: Wildcard certificate on PA firewalls

@AlexandroDelAngel

I was asking about the version and the permissions because may be you are seeing this bug (which is fixes in PAN-OS 8.0.10):

Screenshot_20181031-124755_Chrome.jpg

Highlighted

Re: Wildcard certificate on PA firewalls

Thanks for your feedback Team,

 

Our Panorama is already in 8.0.10 and yes, my account is a superuser. I guess it's time to escalate to PA Support, I just don't want to purchase a useless wildcard certificate.

 

Kind Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!