How to Implement Certificates Issued from Microsoft Certificate Services
Users who have implemented a Microsoft Certification Authority are able to seamlessly deploy (assuming Root Certificates have been pushed to all clients) various features such as SSL-Decrypt (forward-proxy) and GlobalProtect. Using Microsoft Certificate Authority can also eliminate errors when accessing the web UI for Management Access.
Use the Microsoft Certification Authority with Server 2008 Enterprise to backup/export the Root Certificate hosted on the CA or generate/export a Subordinate CA. This allows the Root CA to remain secured with the subordinate being capable of revocation at any time, which is completely transparent to the clients. Subordinates can be created if the CA includes the ‘Subordinate Certificate Authority’ template through the ‘Advanced Certificate Request’ of the Microsoft Certificate Service web UI.
If the certificate services web page does not work, try to generate the certificate from the domain controller command line with the following command:
C:\> certreq.exe -submit -attrib "CertificateTemplate:SubCA" <CSR file>
If unable to generate a subordinate through the Microsoft Certificate Service, you can export the Root CA (w/ the private key) and import into the Palo Alto Networks firewall to allow signing of ‘on-the-fly’ certificates generated for SSL-Decrypt.
Important! This workaround should be exercised with caution. It is highly advisable/recommended to delete the Root CA from the Palo Alto Networks Firewall immediately following the issuing of the subordinate CA.
To backup/export the Root Certificate from the CA, launch the Certification Authority snap-in and follow the export wizard as follows:
- Launch the Certification Authority snap-in and right-click on the CA. In the menu selections that appear, select "All Tasks" and then "Back up CA…" as shown below:
- Select Next to continue the Backup Wizard.
- Select the checkbox for "Private key and CA certificate". Without the private key, it will not be possible to sign certificates as a CA, which is a requirement for SSL-Decrypt/Forward-Proxy.
- Enter a Password and save to a secure location, this will be required during import.
Click Finish to complete the backup/export process, which will save the cert/key as a '.p12 format'.
To generate a Subordinate CA with the Root Cert issued by the Microsoft Certificate Authority, temporarily import the Root Cert from the CA into the Palo Alto Networks. Then, generate/sign a new CA off of the Root CA. In this example, the Microsoft Root CA 'InternalCA' is signing the Subordinate CA 'SubordinateCA', which has been generated as a Certificate Authority.
Important! Once the certificate is successfully issued, delete the recently imported Root CA.
This allows the distribution of the Subordinate CA to various Palo Alto Networks firewalls throughout an organization without compromising the Root CA, which should be deleted from the Palo Alto Networks firewall upon generation of the Subordinate. As long as the Root Cert are installed into the client systems (typically deployed with AD/GPO’s, scripts, etc.), the Subordinate cert would be trusted by default as it was signed directly from the Root. The following example shows a full/valid chain utilized with SSL-Decrypt, with the certificate generated on-the-fly by the subordinate and validated by the Root.
With either the Root Certificate imported as a CA or the Subordinate imported/generated as a CA, in addition to benefits associated with seamless SSL-Decrypt deployments (assuming previously deployed to the user community), it will now be possible to sign Server certs for GlobalProtect, Secure WebUI for Admin Access, Client Certs, etc.