Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

L1 Bithead

For the last few days, we have been experiencing an issue with logging in to the Palo Alto Firewall through the GUI. We are getting the below error from the browser during login.

abdulmunem_1-1702196767687.png

 

 

 
After that, we contacted TAC support but they were unable to solve this issue, and they suspected this issue happened due to the browser. Today morning we were able to solve this issue by the below command. 
 
> configure
# delete deviceconfig system ssl-tls-service-profile
# commit
# exit
 
 
11 REPLIES 11

L2 Linker

It is the issue with chrome not an issue of the firewall you will be able use Microsoft Edge and Mozilla Firefox and it will work.

There is a workaround you do for chrome:

Open registry editor and go to the following path:
>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

> Right-click and > Add a new DWORD (32-bit) Value ,Changed the Name to RSAKeyUsageForLocalAnchorsEnabled and set the value as the default (00000000). 

msyeedrafiqi_0-1702236024482.png

 


Close chrome and open again. You can reach out to to google through google support form for editing the key usage field and also check with your Certificate authority.

Zain

This is not only for Chrome we also experienced issues with the Mozilla browser. Only MS-EDGE is working

oh ok, but yeah as I said the issue from these browsers for key usage field in certificates you can check on their support forms to check if there any fix version or you can follow the same work around

Zain

L2 Linker

my colleague found this article in the PA knowledgebase that seems to explain and resolve the issue:

 

The captive portal page cannot be opened with an ERR_SSL_KEY_US... - Knowledge Base - Palo Alto Netw...

 

 welcome,


Please mark helpful responses, so others know as well

This one does not apply to another browser instead of Chrome.

L1 Bithead

For at least one of our clients, we get this with Edge as well as Chrome.   PAN-OS is at 10.1.10-h1 rather than 11 like Palo's KB says would be affected.
It is only with Palos that I've come across this.  What gives?

L1 Bithead

Oh, but it does work with Firefox.

Abdul & Dan - that's because you missed an important fact - it's a change in chrome behavior but Edge uses Chromium technology (which is what - surprise ! - Chrom is based on as well, therefore they both exhibit the same issue, but as Dan later replied, doesn't happen with Firefox because they use their own engine/tech whatever,

 

 and the solution is - configure the Captive portal certificate with key usage specified (or disable the usage of "RSAkey" in chrome/Edge


Please mark helpful responses, so others know as well

We are having this issue with both Chrome and Edge.

"configure the Captive portal certificate with key usage specified"

So, is it possible to do this with a self-signed certificate on the Palo Alto, or is it now required to issue said Certificate from a Certificate Authority? I don't see that option in the Palo Alto Certificate generation articles.

 

Deleting the ssl/tls service profile isn't an option for us, since we need that to enforce a minimum TLS version, which is required for PCI compliance.

 

 

Everything breaks eventually

L1 Bithead

Palo Alto confirmed in our support case that there is no available method to add the Key Usage extension to a self-signed certificate generated on the Palo Alto. The Certificate must be issued from a CA to add the Key Usage Extension.

 

Everything breaks eventually

L0 Member

Thank you! This worked perfectly for me. My connection to Panorama still wasn't working even after creating the registry edit suggested below. I console'd into the Panorama VM and deleted the ssl-tls-service-profile and now my connection works without issue.

  • 12912 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!