@KTarver wrote:
Hi Brandon and thanks for your reply.
I am having trouble following you.
Purely from a PKI stand point, if the FW has the client's CA in the trusted folder, then there shouldn't be a need for a wildcard. That is on the decryption side (LAN ingress traffic).
But my issue is before getting to that point.
From the FW, I created a csr --> processed it with the CA and got a cert --> uploaded the new cert to the fw. When I do this, 2 issue occur:
1- The csr remain "pending"
2- The newly uploaded cert have all the options (Forward Trust Certificate, Forward Untrust Certificate and Trusted Root CA) greyed out.
I am trying to understand why the 2 above is happening.
Thanks again Brandon
When doing SSL Interception the decryption certificate needs to be a wildcard certificate that can impersonate any domain from any TLD. If it's not a wildcard certificate then it won't work. Like @BPry mentioned I'm going to assume you meant your "external CA" was external from the FW, not external from your enterprise.
Your internal PKI has a "Root" and some "Intermediate" certificate authority servers. Those CAs need to be loaded to your FW. Those CAs need to be loaded in your client machine cert stores. You need to generate a CSR from the firewall from one of those Intermediate CAs, which will then be signed by your internal PKI as a wildcard certificate. When they sign the cert and give it back to you, when you upload it you should see it chained and shown in this screenshot: Root --> ICA (Intermediate CA) --> SSL Cert:
The specific steps to get this to work can be found here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0&lang=en_US
... View more
