Install Certificate on PaloAlto 3020 - DigiCert
Problem Description :
Install DigiCert Certificate on PA-3020
Resolution :
**** DO NOT USE - These were the instructions under DigiCert - Comodo is now our SSL Cert vendor *******
1. Generate a CSV Using Opens on Redhat Server. Type the following
$ openssl genrsa -des3 -out star_gordonstate_edu.key 2048
This command will create an encrypted private key, prompting for a passphrase during generation. Be sure to secure this passphrase as it will be required upon cert issuance for successful import onto your devices.
$ openssl req -new -key star_gordonstate_edu.key -out star_gordonstate_edu.csr
This command creates the CSR (Certificate Signing Request) & references the encrypted private key created in the previous step. Populate the required fields with each prompt. (you will also be prompted to enter the passphrase specified earlier).
Country: US
State: Georgia
Locality Name: Barnesville
Organization Name: Gordon State College
Org Unit Name: Computer Services Department
Common Name: *.gordonstate.edu
Hit enter for the rest which are option attributes.
Successfully issuing the commands will create 2 files within the directory you ran the commands from. (star_gordonstate_edu.key and star_gordonstate_edu.csr)
2. SecureShell to the Redhat box and download the 2 files to your PC.
3. Login to our DigiCert Account (britt@gordonstate.edu/xxxxxxxxx) and click on our Wildcard Plus Certificate Order.
4. Go down to the Reissue Actions and choose 'Get a Duplicate'.
5. Open the .csr file you downloaded in step #1 in Notepad and copy and paste the certificate into the box on the web page. For Server Software choose Apache. For subdomains, enter the 3 DNS entries we are using for the PA...
They are...
captive.gordonstate.edu - for Resnet/wireless login
pa3020.gordonstate.edu - for management access
sslportal.gordonstate.edu - for GlobalProtect VPN
Submit the request
6. Once the request is submitted, scroll down to the bottom of the order page and refresh periodically until the 'Download' button appears for the certificate as shown below. This should only take a minute or 2.
7. Click on download and choose 'Recommended format for Apache' and click the Download button (may need to do in Firefox).
8. Save zipped folder to local PC.
9. Create a .pem with the Server and Intermediate Certificates (Intermediate - DigiCertCA.crt and Primary Certificates - star_gordonstate_edu.crt).
a. Open notepad and paste the entire body of each certificate into one text file in the following order:
i.The Primary Certificate
ii.The Intermediate Certificate
Make sure to include the beginning and end tags on each certificate. The result should look like this:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
Save the combined file as star_gordonstate_edu.pem. The .pem file is now ready to use.
10. Log into the PA-3020 and under Device click Certificates from left-column.
11. Click import and using the Base64 Encoded Certificate (PEM) File Format browse for your star_gordonstate_edu.pem file. Name the certificate something like 'Digicert'. You will use this name to add to the Server Certificate settings for Captive Portal and GlobalProtect. Check Import private key and browse for the private key created in step #1 (star_gordonstate_edu.key). Then enter the passphrase you created in step #1. Click OK to import.
12. Next, click on the certificate name and check the box 'Certificate for Secure Web GUI'. This is for the management link.
13. Save and Commit the changes.
14. Make sure Digicert (or whatever you named the Certificate) is selected for the Server Certifcate under Device > User Identification > Captive Portal Settings tab.
15. Under Network > Global Protect > Portals & Gateways, make sure Digicert is selected for Server Certificate under both.
Revision Date : 11/14/2013