If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.
Start Inside WebGUI
Steps:
Go to your Palo Alto Network Firewall or Panorama WebGUI
Device > Certificate Management > Certificate
At the bottom of the screen, click Generate, to create a new certificate. Ensure that it is signed by the firewall by clicking "Certificate Authority".
Export the pem file with the private key by clicking the certificate you want to export and clicking Export at the bottom of the screen. Then use "Base64 Encoded Certificate (PEM)" and also select "Export private key" and click OK.
Now to the CLI
Steps:
Now copy the cert to minemeld with the command:
> scp cert_minemeld.pem ubuntu@<minemeldIP>
Now, log into MineMeld via ssh with the command:
ssh ubuntu@<minemeldIP>
Now backup the current certificates in case you need to revert back to them if something goes wrong [minemeld ~]$ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig [minemeld ~]$ sudo mv /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem-orig
The pem file that you generated will have both the private and public key so you need to split the two. This is how I did it, you may have a better way. The file is readable so you can copy and paste the sections into two different files or use the CLI commands: NOTE: Please note that there might be a error with sudoing the refers to missing entries in the /etc/hosts file, as the hostname is not automatically added to this file
[minemeld ~]$ cat cert_minemeld.pem | awk 'split_after==1{n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1} {print > "minemeld" n ".cer"}' [minemeld ~]$ sudo cp minemeld.cer /etc/nginx/minemeld.cer [minemeld ~]$ sudo openssl rsa -in minemeld1.cer -out -out /etc/nginx/minemeld.pem [minemeld ~]$ sudo service nginx restart
Now restart the browser session and you should not receive an untrusted error, if the root CA that signed the certificate is installed correctly on your machine.
... View more