01-16-2025 08:52 AM
Guys,
I was finally able to confirm that split tunnel config file on a web server works, so I would like to share some tips with you.
This is an explanation for the link above.
Mutual TLS is under the same CA.
Initially, I used let's encrypt for the server certificate, but it doesn't provide a client certificate, so I used a client certificate that I created on local linux. This resulted in an error in PanGPS.log.(AdvancetST: downloaded content is not authenticated)
The engineers at paloalto helped me by giving me some useful links to understand mtls.
Just to add a little bit, this link does not include the SAN, and when you check the operation with the client's browser, you will get a server certificate error.
When creating a CSR and issuing a certificate, it was necessary to add a few commands to include the SAN. Like this.
openssl req -new -key server.key.pem -out server.csr -addext "subjectAltName = DNS:example.com"
openssl ca -config /root/mtls/openssl.cnf -extfile san.txt -days 1650 -notext -batch -in server.csr -out serve
r.cert.pem
san.txt contains subjectAltName = DNS:example.com
Any private key can be used to sign the file. It has nothing to do with mtls. Register the corresponding public key in Prisma Access.
Even after looking at the setup guide, I'm still confused as to which private key to use.
However, the palo engineer told me that ``anything is fine,'' and the problem became clear.
I'm looking forward to this, as it allows for more flexible route control than internal host detection.
