on 08-17-201611:59 AM - edited on 01-26-202101:15 PM by jdelio
If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.
Start Inside WebGUI
Go to your Palo Alto Network Firewall or Panorama WebGUI
Device > Certificate Management > Certificate
At the bottom of the screen, click Generate, to create a new certificate. Ensure that it is signed by the firewall by clicking "Certificate Authority".
Export the pem file with the private key by clicking the certificate you want to export and clicking Export at the bottom of the screen. Then use "Base64 Encoded Certificate (PEM)" and also select "Export private key" and click OK.
Now backup the current certificates in case you need to revert back to them if something goes wrong [minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig [minemeld ~]$ sudo mv /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem-orig
The pem file that you generated will have both the private and public key so you need to split the two. This is how I did it, you may have a better way. The file is readable so you can copy and paste the sections into two different files or use the CLI commands: NOTE: Please note that there might be a error with sudoing the refers to missing entries in the /etc/hosts file, as the hostname is not automatically added to this file