About Angelo

If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.   Start Inside WebGUI  Steps: Go to your Palo Alto Network Firewall or Panorama WebGUI Device > Certificate Management > Certificate At the bottom of the screen, click Generate, to create a new certificate. Ensure that it is signed by the firewall by clicking "Certificate Authority". Export the pem file with the private key by clicking the certificate you want to export and clicking Export at the bottom of the screen. Then use "Base64 Encoded Certificate (PEM)" and also select "Export private key" and click OK. Now to the CLI Steps: Now copy the cert to minemeld with the command: > scp cert_minemeld.pem ubuntu@minemeld Now, log into MineMeld via ssh with the command: ssh ubuntu@minemeld Now backup the current certificates in case you need to revert back to them if something goes wrong [minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/ngnix/minemeld.cer-orig [minemeld ~]$ sudo mv /etc/ngnix/minemeld.pem /etc/ngnix/minemeld.pem-orig The pem file that you generated will have both the private and public key so you need to split the two. This is how I did it, you may have a better way.  The file is readable so you can copy and paste the sections into two different files or use the CLI commands: [minemeld ~]$ cat cert_minemeld.pem | awk 'split_after==1{n++;split_after=0} /---- -END CERTIFICATE-----/ {split_after=1} {print > "minemeld" n ".cer"}' [minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer [minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out -out /etc/ngnix/minemeld/minemeld.pem [minemeld ~]$ sudo service nginx restart Now restart the browser session and you should not receive an untrusted error, if the root CA that signed the certificate is installed correctly on your machine. ... View more