12-02-2024 05:54 AM
Hello,
1- The CA and Keys checkboxes in the Certificates section of Palo Alto Firewall should always be selected? respectively the certificates used for Forward Proxy and SSL Inbound Inspection should always have CA selected and Keys imported?
2- We use just one self-signed certificate for Forward Trust and Untrust proxy. So we need to import this certificate as Trusted CA in client computer. My question, how client will understand then wenn a website is untrusted ? (the reason of my question is that we are using same self-signed certificate for both options)
Best Regards
12-03-2024 05:18 AM
1. for outbound proxy, the certificate needs to be CA and have the private key, for inbound inline inspection, you need to have the server certificate associated with the web service running on the server. you only need to have the key, this does not need to be a CA certificate
2. do NOT use the same certificate for trusted and untrusted. the trusted one needs to be imported on the client so it trusts the signing CA certificate. the untrust must not be imported so the user gets a certificate error (it's untrusted because the upstream certificate is untrusted, this needs to be aparent to the user as well as they would else have the false impression this site is safe
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
