Palo Alto Networks Knowledgebase: Unable to change bits or algorithms during certificate creation

Unable to change bits or algorithms during certificate creation

886
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:02 AM
8.0 PAN-OS
Symptom

Symptoms

During certificate/CSR creation, one can change the number of bits used in the RSA and SHA algorithms to something higher than the default. One should also be able to change the algorithms to Elliptic Curve DSA and MD5 for hashing. The available values for RSA and SHA (as of 8.0) are:

 

RSA:
512
1024
2048 (default)
3072
4096

 

SHA:
SHA1
SHA256 (default)
SHA384
SHA512

 

However, in some cases an admin might not be seeing any options in the drop-down for either algorithm.

 

Diagnosis

The PHP debugs will show the following errors:

 

[2017/12/29 17:43:04] user=1282626187103044
Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php
[2017/12/29 17:43:04] user=1282626187103044
========= RemoteCall: Certificate.completeCertificateNbits =========
[2017/12/29 17:43:05] user=1282626187103044
<request cmd="op" complete="operations/request/certificate/generate/algorithm/RSA/rsa-nbits" cookie="1282626187103044"/>
[2017/12/29 17:43:05] user=1282626187103044
<response status="error"><msg><line>You need superuser privileges to do that</line></msg></response>
[2017/12/29 17:43:05] user=1282626187103044
Call to [PanDirect.run] /Certificate.completeCertificateNbits from router.php took 0.179s
[2017/12/29 17:43:06] user=1282626187103044
Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php
[2017/12/29 17:43:06] user=1282626187103044
========= RemoteCall: Certificate.completeCertificateDigest =========
[2017/12/29 17:43:06] user=1282626187103044
<request cmd="op" complete="operations/request/certificate/generate/digest" cookie="1282626187103044">
<algorithm>rsa</algorithm>
</request>
[2017/12/29 17:43:06] user=1282626187103044
<response status="error"><msg><line>You need superuser privileges to do that</line></msg></response>
[2017/12/29 17:43:06] user=1282626187103044
Call to [PanDirect.run] /Certificate.completeCertificateDigest from router.php took 0.167s

 



Resolution

Log in with any 'superuser' account and you should be able to change the bits and algorithms to any of the available options.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbbCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language