Can Wildcard Certificate on Firewall match with specific certificates on backend servers ?

Can Wildcard Certificate on Firewall match with specific certificates on backend servers ?

10256
Created On 11/10/20 22:27 PM - Last Modified 06/27/24 07:13 AM


Question


Can the Palo Alto use a Wildcard certificate for Inbound SSL Decryption (*.testwebsitecertificate.com) while the back end web servers use a more specific certificate such as (server1.testwebsitecertificate.com), (server2.testwebsitecertificate.com) and (server3.testwebsitecertificate.com)? 

Environment


  • Palo Alto Firewall
  • PAN-OS 8.1 and above.
  • Wildcard certificate for SSL Inbound Decryption

Answer


  1. No, Having a wildcard certificate on the firewall while the back servers have a different unique certificate will not work for SSL Inbound Decryption. 
  2. A New specific Decryption Policy rule must be made for each server certificate that is present and each server certificate must match the firewall certificate exactly. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBbnCAG&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language