Palo Alto Networks Knowledgebase: How to Install a Chained Certificate Signed by a Public CA
How to Install a Chained Certificate Signed by a Public CA
Created On 09/25/18 20:40 PM - Last Updated 08/05/19 20:11 PM
When configuring a Palo Alto Networks Next Generation Firewall, a certificate signed by a trusted public Certificate Authority (CA) may be desired on:
Captive Portal ("CP") pages
GlobalProtect ("GP") Portal
Many public CAs use chained certificates, that is, certificates not signed by the Root CA itself, but one or more Intermediate CAs. These are usually owned and operated by the same CA but gives that CA flexibility and ease of revocation if a problem arises.
1. Requesting the certificate
Depending on which PAN-OS version is installed on the firewall, a private key and CSR may need to be generated on a third-party program such as OpenSSL.
When a certificate is not signed by the Root CA, the intermediate CAs should be sent to clients in case those clients do not have the intermediate CAs in their trusted key store already. To do that, a combination certificate that consists of the signed certificate (CP, GP, and so on), followed by the intermediate CAs. The image below shows two, but the same process is valid for only one intermediate CA or several.
To get each of these certificates:
Open the "Server Cert" file sent by the CA.
In Windows, the certificate dialog box has three tabs: General, Details, and Certification Path.
Click the Certification Path and click the certificate one step above the bottom.
Open that certificate and click the Details tab, then Copy To File.
Save the file as a Base-64 encoded X.509 (.CER) formatted certificate.
Do the same for all certificates in the chain except the top (Root).
Open each certificate .CER file in a plain-text editor (such as Notepad).
Paste each certificate end-to-end, with the Server Cert on top and each signer below that.
Save the file as a .TXT or .CER file Note: The name of the file cannot contain spaces, as this may cause the import to fail.
3. Importing the Certificate
Take the combined certificate and import it on the firewall.