Install Certificate on PaloAlto 3020 - Comodo

Problem Description : 

Install Comodo Certificate on PA-3020

 Resolution : 

1. Follow the instructions in best solution "Apache Redhat SSL Certificate Request and Installation (For Comodo) in order to create apache readable certificate files via OpenSSL. You can also run OpenSSL on windows using http://www.openssl.org/related/binaries.html.

2. Create a text file with .pem extension which contains the entire "chain" of certificates

a. For the PA Firewall to import, the certificates presented in the file must be ordered as: 1) Server Certificate 2) Intermediate 3) Root CA

b. From #1 instructions gather the apache readable cert files 1) ComodoSSL.crt file, 2) star_gordonstate_edu.crt file, and 3) star_gordonstate_edu.key

c. Open notepad and paste the entire body of each certificate into one text file in the order listed in step 2a above (star_gordonstate_edu.crt + ComodoSSL.crt)

Make sure to include the beginning and end tags on each certificate. The result should look like this: 

-----BEGIN CERTIFICATE----- 

(Primary SSL certificate) 

-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 

(Intermediate certificate) 

-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE----- 

(Root certificate) 

-----END CERTIFICATE----- 

Save the combined file as star_gordonstate_edu.pem. The .pem file is now ready to use. 

3. Log into the PA-3020 and under Device click Certificates from left-column.

4. Click import and using the Base64 Encoded Certificate (PEM) File Format browse for your star_gordonstate_edu.pem file. Name the certificate something like 'ComodoYY'. You will use this name to add to the Server Certificate settings for Captive Portal and GlobalProtect. Check Import private key and browse for the private key created in step #1 (star_gordonstate_edu.key). Then enter the passphrase setup in step #1. Click OK to import.

Assign to Web GUI

1. Go to Device > Certificate Management > SSL/TLS Service Profile. Configure an SSL/TLS Service Profile and choose the certificate that you want to use for the web-based management sessions. 

 You can also configure the Protocol Settings with an appropriate TLS version.6. Save and Commit the changes.

2. Navigate to Device > Setup > Management > General Settings > SSL/TLS Service Profile. From the dropdown select the above configured SSL/TLS service profile.

3. If using Captive Portal, make sure the Comodo cert (or whatever you named the Certificate) is selected for the Server Certifcate under Device > User Identification > Captive Portal Settings tab.

4. Under Network > Global Protect > Portals & Gateways, make sure Comodo is selected for Server Certificate under both.  

5. Commit the changes.

After committing the changes the webserver daemon responsible for the web-gui will be restarted and you will lose connectivity to the WEB GUI. You will need to login to the WEB GUI again. Then you will see the new certificate configured from the above steps being utilized as the certificate for web-management. 

 Revision Date : 3/3/2017