How to Import the Intermediate CA on the Firewall

How to Import the Intermediate CA on the Firewall

157735
Created On 09/26/18 21:06 PM - Last Modified 06/01/23 03:28 AM


Resolution


Details

Palo Alto Networks firewall can block websites if they have untrusted certificates. Some websites use certificates signed by an intermediate CA. If an intermediate CA is not trusted on the Palo Alto Networks firewall, then it just drops the packets. To avoid this situation it is important to add an intermediate certificate on the firewall.

 

The firewall is configured to block SSL sites with untrusted certificates.

For example, the following site is signed by an intermediate certification, hence the firewall blocks it: www.studyisland.com

Intermediate_Cert.png

  1. Download intermediate certificate "DigiCert SHA2 High Assurance Server CA" in PEM format.
    Save_Cert.png
     
  2. Login to the firewall through the WebGUI
  3. Go to Device > Certificates > Import > Import "Intermediate Cert"  "DigiCert SHA2 High Assurance Server CA"
    Import_Cert1.png
  4. Click on the certificate and check "Trusted Root CA".
    Trust_Cert.png

 

owner: hshah
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm66CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language