Palo Alto Networks Knowledgebase: How to Import the Intermediate CA on the Firewall

How to Import the Intermediate CA on the Firewall

14528
Created On 02/07/19 23:37 PM - Last Updated 02/07/19 23:37 PM
Resolution

Details

Palo Alto Networks firewall can block websites if they have untrusted certificates. Some websites use certificates signed by an intermediate CA. If an intermediate CA is not trusted on the Palo Alto Networks firewall, then it just drops the packets. To avoid this situation it is important to add an intermediate certificate on the firewall.

The firewall is configured to block SSL sites with untrusted certificates.

For example, the following site is signed by an intermediate certification, hence the firewall blocks it: www.studyisland.com

Intermediate_Cert.png

  1. Download intermediate certificate "DigiCert SHA2 High Assurance Server CA" in PEM format.
    Save_Cert.png

  2. Login to the firewall through the WebGUI
  3. Go to Device > Certificates > Import > Import "Intermediate Cert"  "DigiCert SHA2 High Assurance Server CA"
    Import_Cert1.png
  4. Click on the certificate and check "Trusted Root CA".
    Trust_Cert.png

owner: hshah



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language