Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Adding an External Dynamic List Object and importing the Intermediate CA certificate from the external web server that the EDL is hosted on

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Adding an External Dynamic List Object and importing the Intermediate CA certificate from the external web server that the EDL is hosted on

L0 Member

 

I am trying to add an External Dynamic List to our PA-440. 

 

The External Dynamic List is hosted on an external web server by one of our security partners.  This web server is https enabled and authentication is via username/password.  This is the screenshot when you go to the EDL's Source URL:

 

thivye_1-1676501196399.png

 

According to this documentation, in order for the firewall to authenticate to this server, I will need to add the Intermediate CA certificates that match the certificates installed on the server the firewall is authenticating.  With that profile, I will have the option to add a username and password to the External Dynamic List object when I add the correct Certificate Profile.

 

 

Here is the documentation that states I need to add the Intermediate CA certificates that match the certificates installed on the server the firewall is authenticating:

 

thivye_2-1676501218691.png

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/use-an-external-dynamic-list-in-po...

 

My understanding of this is I needed to:

  1. Download the Intermediate CA certificate from the external web server that's hosting the EDLs
  2. Import this Intermediate CA certificate into the Certificate Manager
  3. Create a Certificate Profile to add to the EDL object.

 

 

Downloading the Intermediate CA Certificate:

 

To download the Intermediate CA certificate from the external webserver that's hosting the EDLs.

 

  1. Click the lock icon:

 

thivye_3-1676501263508.png

 

  1. Click on "Connection Secure":

thivye_8-1676501297085.png

  1. Click on "More Information":

thivye_9-1676501307699.png

 

  1. Click "View Certificate":
 

thivye_10-1676501316888.png

 

 

  1. Click the middle certificate (the Intermediate CA), scroll down and download the cert file (.PEM)

 

 

thivye_11-1676501347626.png

 

 

> Is this the correct file to be downloading?

> The UserTrust CA is already in the list of Trusted Certificate Authorities in the Certificate manager of the PA-440, so this Intermediate CA Certificate is all I should need.

 

 

 

 

 

 

 

 

1 REPLY 1

Cyber Elite
Cyber Elite

Hi @user9891 ,

 

Yes, that process is correct.  The document actually says to add the root and intermediate to the certificate profile.  That is the process that I use, and it works.  Your reasoning makes sense that the root is already trusted.  Let us know if only the intermediate CA works in the certificate profile.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 1705 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!