11-09-2022 01:40 PM - edited 11-10-2022 05:27 AM
There were a couple of discussions on this months ago with no resolution. SecureTrust's PCI scans say that we are failing. We would need to set both RSA and ECDHE to 2048 but there is no option to do so that I know of for the SSL/TLS profile. The workaround that was discussed was to disable ECDHE and RSA. However, among other possible issues, it breaks the app for Apple devices.
Just wondering if anyone has come across a fix.
11-09-2022 05:47 PM - edited 11-09-2022 05:49 PM
Hello @wicklunds
Good evening, well if you use a SSL/TLS profile, associated with a custom certificate, self-signed, or signed by an internal CA. You can generate it with ECDSA with a 256 or 384 or RSA at least 512 to 4096, at least for those self-signed by Palo Alto, but then if it is an internal CA, it depends on what support you have to generate certificates.
And then this assign it to the firewall administration, to the Web-Gui, so that it responds that certificate.
Review this:
Best regards
11-10-2022 05:33 AM
Thanks for the reply. I should have mentioned that this is for PCI compliance. As I understand it the article you posted only allows an on/off toggle. Our certificate is not self-signed. I'll double check but I believe it was generated properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
