You get the error "Your
connection is not private," whenever you HTTPS to a new device.
Type a Name (john) and type a Password > type again to Confirm Password > leave other settings in default > click OK.
In this case, I added Country > SG (Singapore) > click Generate.
Click OK.
To create a user cert, click Generate (at the bottom) > leave the default Certificate Type: Local > type a Certificate Name: PAN-USER-CERT > type a Common Name: PAN-USER-CERT > select Signed By: PAN-CA-CERT (Root CA Cert created earlier) > click Generate.
Notice the User Cert (PAN-USER-CERT) is a sub-page under the Root CA cert (PAN-CA-CERT).
Click OK.
To create a Certificate Profile, go to Device > Certificate Management > Certificate Profile > Add.
Type a Name: CERT-PROFILE-1 > select Username Field: Subject.
Click Add > select CA Certificate: PAN-CA-CERT (Root CA Cert created earlier).
Click OK.
To apply the Certificate Profile, go to Device > Setup > Management tab > Authentication Settings > click edit (gear icon).
Select Certificate Profile: CERT-PROFILE-1 created earlier > click OK.
To export the User CA Cert (PAN-USER-CERT), go to Device > Certificate Management > Certificates > tick PAN-USER-CERT > Export (at the bottom).
Select File Format: Encrypted Private Key and Certificate (PKCS12).
Type the Passphrase (same passphrase used in generating PAN-USER-CERT) > type again to Confirm Passphrase > click OK.
Notice the PAN-USER-CERT was downloaded on the client machine.
Click Commit.
To install the User CA Cert, open the Certificate Manager (certmgr.msc) > Certificates - Current User > right-click on Personal folder > All Tasks > Import.
Click Next.
Type the passphrase (the same passphrase when the User CA Cert was generated) > click Next.
Leave the default Certificate store: Personal > click Next.
Click Finish.
Click OK.
Close the Certificate Manager > click Yes to save settings.
I login again to the PAN Firewall via HTTPS and got a Confirm Certificate page displayed.
Click OK.
Click Continue to the website (not recommended).
The Confirm Certificate page was displayed. Click OK.
I login using the user account: john > type the password > click Log In.
Notice the Logged In Admins: john and under System Logs: Client certificate authentication successful from 192.168.1.20.
This is
due to a device self-signed certificate which the client
doesn't have the valid CA cert installed.
To create a local user account, go to Device > Administrators > Add.
Notice
the admin (Superuser) account created by default.
Type a Name (john) and type a Password > type again to Confirm Password > leave other settings in default > click OK.
You'll
need to generate two CA Certificates: the first one is the self-signed Root CA.
This is the top-most cert which the PAN Firewall uses for other purpose.
To
generate a CA cert, go to Device > Certificates > Generate (at the
bottom).
Leave the
default Certificate Type: Local > type a Certificate Name: PAN-CA-CERT >
type a Common Name: 192.168.1.1 > tick Certificate Authority.
You can
optionally add a Certificate Attributes.
In this case, I added Country > SG (Singapore) > click Generate.
Click OK.
To create a user cert, click Generate (at the bottom) > leave the default Certificate Type: Local > type a Certificate Name: PAN-USER-CERT > type a Common Name: PAN-USER-CERT > select Signed By: PAN-CA-CERT (Root CA Cert created earlier) > click Generate.
Notice the User Cert (PAN-USER-CERT) is a sub-page under the Root CA cert (PAN-CA-CERT).
Click OK.
To create a Certificate Profile, go to Device > Certificate Management > Certificate Profile > Add.
Type a Name: CERT-PROFILE-1 > select Username Field: Subject.
Click Add > select CA Certificate: PAN-CA-CERT (Root CA Cert created earlier).
Click OK.
To apply the Certificate Profile, go to Device > Setup > Management tab > Authentication Settings > click edit (gear icon).
Select Certificate Profile: CERT-PROFILE-1 created earlier > click OK.
To export the User CA Cert (PAN-USER-CERT), go to Device > Certificate Management > Certificates > tick PAN-USER-CERT > Export (at the bottom).
Select File Format: Encrypted Private Key and Certificate (PKCS12).
Type the Passphrase (same passphrase used in generating PAN-USER-CERT) > type again to Confirm Passphrase > click OK.
Notice the PAN-USER-CERT was downloaded on the client machine.
Click Commit.
To install the User CA Cert, open the Certificate Manager (certmgr.msc) > Certificates - Current User > right-click on Personal folder > All Tasks > Import.
Click Next.
Type the passphrase (the same passphrase when the User CA Cert was generated) > click Next.
Leave the default Certificate store: Personal > click Next.
Click Finish.
Click OK.
Close the Certificate Manager > click Yes to save settings.
I login again to the PAN Firewall via HTTPS and got a Confirm Certificate page displayed.
Click OK.
Click Continue to the website (not recommended).
The Confirm Certificate page was displayed. Click OK.
I login using the user account: john > type the password > click Log In.
Notice the Logged In Admins: john and under System Logs: Client certificate authentication successful from 192.168.1.20.
No comments:
Post a Comment