Resource List: SSL Certificates Configuring and Troubleshooting

Resource List: SSL Certificates Configuring and Troubleshooting

115691
Created On 09/26/18 20:46 PM - Last Modified 05/12/21 02:14 AM


Environment


  • Palo Alto Firewall.
  • Any PAN-OS.
  • SSL Certificates.


Resolution


Overview

SSL is an acronym for Secure Sockets Layer, an encryption technology that was created by Netscape. SSL certificates create an encrypted connection between a web server and a web browser, allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery.

 

Types of SSL certificates and where they are used on Palo Alto Networks:

 

Self-Signed

(PAN)

Public CA

issued

Wildcard

Subject alt

name

Sub ordinate CA

(internal source)

WebUI

XXXX 

Captive portal - transparent

X    
Captive portal - redirectXXXX 
SSL forward proxy (decryption out)X   X
SSL inbound proxy (decryption in) XXXX
GlobalProtect - gateway, portal and client authenticationXXXXX

URL filtering override page

XXXX 

 

The following table provides a list of valuable resources on understanding and configuring SSL certificates:

TitleDescriptionType
Basic  
How to generate a CSR (certificate signing request) and import the signed certificateHow to generate a CSR (Certificate Signing Request) and Import the Signed CertificateDocument
How to generate a new self-signed SSL certificateHow to generate a new self-signed certificateDocument
Troubleshooting SSL certificates in PAN-OSTroubleshooting tips for general SSL certificatesDocument
Pushing SSL decryption certificates using GPOPushing SSL decryption certificates using GPODocument
How to perform a client certificate install for SSL decryptionHow to install a client certificate install for SSL decryptionDocument
How to create a subordinate CA certificate for Microsoft Certificate ServerCreate a subordinate CA certificate with Microsoft Certificate Server.Document
How to install a chained certificate signed by a Public CAHow to install a chained certificate signed by a public CADocument
Intermediate  
SSL certificates with HTTPS CRLInformation about SSL certificate with HTTPS for the CRLDocument
Exporting IIS SSL certificateHow to export the SSL certificate from a Microsoft IIS serverDocument
How to delete certificates on a Palo Alto Networks firewallHow to delete certificates on a Palo Alto Networks firewallDocument
Advanced  
Commit error received after configuring SSL decryption for certificate generationConfiguring SSL decryption - commit fails after generating a certificate errorDocument
SSL decryption stops working on Firefox after changing SSL decryption certificateAfter changing the SSL Decryption certificate, SSL decryption does not work with Firefox Document
Wrong certificate used when SSL decryption is enabled.Untrusted certificate presented when performing SSL decryptionDocument
Commit error received after configuring SSL decryption for certificate generationConfiguring SSL decryption - commit fails after generating a certificate errorDocument
Error deleting certificate - Web-server-certificateWhen attempting to delete a certificate that is used for web server certificate, error is receivedDocument
How to use a Wildcard SSL certificate with Subject Alternative Names (SAN) for GlobalProtect portal and gatewayHow to use a wildcard (multi-domain) certificate with one common name and Subject Alternative Names (SAN) for other protected domains.Document
Error deleting certificate on PAN-OS - ssl-decrypt; trusted-root-CAError deleting certificate on PAN-OS - SSL-decrypt > trusted-root-CADocument
Captive portal using transparent mode with LDAP auth or redirect mode with client certificate auth in Vwire deploymentGuide in configuring captive portal in a Vwire deploymentDocument
Windows certificate authority delivers certificates that cannot be read by PAN-OSWindows certificate authority delivers certificates that cannot be read by PAN-OSDocument

Note: If you have a suggestion for an article, video or discussion not included in this list please submit the content through the feedback column on the right and it will be added to the master list.

 

Browser certificate errors:
Remember with SSL certificates, there are three things that are always checked inside of an SSL certificate:

  1. Certificate name matching the FQDN or IP address
  2. Is this from a Trusted CA?
  3. Is the certificate expired?

If these items are OK, then the certificate should be fine.



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5YCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language