Cannot login to the management interface using self-signed ECDSA certificate in SSL/TLS profile
19081
Created On 03/27/19 18:06 PM - Last Modified 04/11/24 10:38 AM
Symptom
- When following the recommendations in the KB article to address Sweet32 vulnerability
- Create a self-signed ECDSA certificate to be assigned to the SSL/TLS profile for the Management Interface.
- Check the Certificate Authority box in order to generate a self-signed certificate.
- Now, when going to the WebUI using chrome browser, the following error is seen
This site can’t provide a secure connection
10.73.101.13 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Environment
- PAN-OS 7.1 and above.
- Any Palo Alto Firewall.
- Any Panorama.
Cause
- ECDSA CA Certificates cannot be used as Server Certificates or as Client Certificates.
- A child certificate signed by the ECDSA CA to make it contain the x509v3 Extended Key Usage attributes: "TLS Web Server Authentication" and "TLS Web Client Authentication"
Resolution
- If the Web-UI window is closed, Login using CLI commands and revert the config to any previously working ones. An Example is shown below. If access is not closed, proceed from Step2.
admin@FW> configure
admin@FW# load config version <version #> => using ? displays the config versions
admin@FW# commit
admin@FW#>exit
- Using Web-UI login, Generate a self-signed ECDSA certificate with the Certificate Authority box checked using GUI: Device > Certificates > Generate.
- Generate a leaf ECDSA certificate signed by the certificate created above using GUI: Device > Certificates > Generate
- Add the leaf ECDSA certificate to an SSL/TLS Profile that profile should have Min Version set to TLSv1.2. This can be done using GUI: Device > Certificate Management > SSL/TLS Certificate Profile
- Add that SSL/TLS Service Profile in GUI: Device > Setup > Management tab > General Settings.
- Commit the configuration.
- Login access should work fine after commit.