Saturday, January 4, 2020

Palo Alto Networks CA Certificate Management

You get the error "Your connection is not private," whenever you HTTPS to a new device.

This is due to a device self-signed certificate which the client doesn't have the valid CA cert installed.


To create a local user account, go to Device > Administrators > Add.

Notice the admin (Superuser) account created by default.
 

Type a Name (john) and type a Password > type again to Confirm Password > leave other settings in default > click OK.



You'll need to generate two CA Certificates: the first one is the self-signed Root CA. This is the top-most cert which the PAN Firewall uses for other purpose.

To generate a CA cert, go to Device > Certificates > Generate (at the bottom).
 

Leave the default Certificate Type: Local > type a Certificate Name: PAN-CA-CERT > type a Common Name: 192.168.1.1 > tick Certificate Authority.

You can optionally add a Certificate Attributes.
 

In this case, I added Country > SG (Singapore) > click Generate.


Click OK.


To create a user cert, click Generate (at the bottom) > leave the default Certificate Type: Local > type a Certificate Name: PAN-USER-CERT > type a Common Name: PAN-USER-CERT > select Signed By: PAN-CA-CERT (Root CA Cert created earlier) > click Generate.


Notice the User Cert (PAN-USER-CERT) is a sub-page under the Root CA cert (PAN-CA-CERT).

Click OK.


To create a Certificate Profile, go to Device > Certificate Management > Certificate Profile > Add. 


Type a Name: CERT-PROFILE-1 > select Username Field: Subject.


Click Add > select CA Certificate: PAN-CA-CERT (Root CA Cert created earlier).


Click OK.



To apply the Certificate Profile, go to Device > Setup > Management tab > Authentication Settings > click edit (gear icon).


Select Certificate Profile: CERT-PROFILE-1 created earlier > click OK.



To export the User CA Cert (PAN-USER-CERT), go to Device > Certificate Management > Certificates > tick PAN-USER-CERT > Export (at the bottom).


Select File Format: Encrypted Private Key and Certificate (PKCS12).


Type the Passphrase (same passphrase used in generating PAN-USER-CERT) > type again to Confirm Passphrase > click OK.


Notice the PAN-USER-CERT was downloaded on the client machine.


Click Commit.


To install the User CA Cert, open the Certificate Manager (certmgr.msc) > Certificates - Current User > right-click on Personal folder > All Tasks > Import.


Click Next.


Type the passphrase (the same passphrase when the User CA Cert was generated) > click Next.


Leave the default Certificate store: Personal > click Next.


Click Finish.


Click OK.

Close the Certificate Manager > click Yes to save settings.


I login again to the PAN Firewall via HTTPS and got a Confirm Certificate page displayed.

Click OK.


Click Continue to the website (not recommended).


The Confirm Certificate page was displayed. Click OK.


I login using the user account: john > type the password > click Log In.


Notice the Logged In Admins: john and under System Logs: Client certificate authentication successful from 192.168.1.20.


No comments:

Post a Comment