End-of-Life (EoL)
Keys and Certificates for Decryption Policies
Keys are strings of numbers that are typically generated
using a mathematical operation involving random numbers and large
primes. Keys are used to transform other strings—such as passwords
and shared secrets—from plaintext to ciphertext (called
encryption
)
and from ciphertext to plaintext (called decryption
). Keys
can be symmetric (the same key is used to encrypt and decrypt) or
asymmetric (one key is used for encryption and a mathematically
related key is used for decryption). Any system can generate a key.X.509 certificates are used to establish trust between a client
and a server in order to establish an SSL connection. A client attempting
to authenticate a server (or a server authenticating a client) knows
the structure of the X.509 certificate and therefore knows how to
extract identifying information about the server from fields within
the certificate, such as its FQDN or IP address (called a
common
name
or CN
within the certificate) or the name
of the organization, department, or user to which the certificate
was issued. All certificates must be issued by a certificate authority
(CA). After the CA verifies a client or server, the CA issues the
certificate and signs it with a private key. If you have two CAs () with the same
subject and key, and one CA expires, delete (custom) or disable
(predefined) the expired CA. If you do not delete or disable an
expired CA, the firewall can build a chain to the expired CA if
it is enabled in the trusted chain resulting in a Block page.
Device
Certificate Management
Device Certificates
With a decryption policy configured, a session between the client
and the server is established only if the firewall trusts the CA
that signed the server certificate. In order to establish trust,
the firewall must have the server root CA certificate in its certificate
trust list (CTL) and use the public key contained in that root CA
certificate to verify the signature. The firewall then presents
a copy of the server certificate signed by the Forward Trust certificate
for the client to authenticate. You can also configure the firewall
to use an enterprise CA as a forward trust certificate for SSL Forward
Proxy. If the firewall does not have the server root CA certificate
in its CTL, the firewall will present a copy of the server certificate
signed by the Forward Untrust certificate to the client. The Forward
Untrust certificate ensures that clients are prompted with a certificate
warning when attempting to access sites hosted by a server with
untrusted certificates.
For detailed information on certificates, see Certificate Management.
To control the trusted CAs that your firewall trusts, use the tab on the firewall web interface.
Device
Certificate Management
Certificates
Default Trusted Certificate
Authorities
The table describes the different keys and certificates used
by Palo Alto Networks firewalls for decryption. As a best practice,
use different keys and certificates for each usage.
Key/Certificate Usage | Description |
|---|---|
Forward Trust | The certificate the firewall presents to
clients during decryption if the site the client is attempting to
connect to has a certificate that is signed by a CA that the firewall
trusts. To configure a Forward Trust certificate on the firewall,
see 2 in the Configure SSL Forward Proxy task. By default,
the firewall determines the key size to use for the client certificate
based on the key size of the destination server. However, you can
also set a specific key size for the firewall to use. See Configure the Key Size for SSL Forward Proxy Server Certificates. For added
security, store the forward trust certificate on a Hardware Security
Module (HSM), see Store Private Keys on an HSM. |
Forward Untrust | The certificate the firewall presents to
clients during decryption if the site the client is attempting to
connect to has a certificate that is signed by a CA that the firewall
does not trust. To configure a Forward Untrust certificate on the
firewall, see 4 in the Configure SSL Forward Proxy task. |
SSL Exclude Certificate | Certificates for servers that you want to
exclude from SSL decryption. For example, if you have SSL decryption
enabled, but have certain servers that you do not want included
in SSL decryption, such as the web services for your HR systems,
you would import the corresponding certificates onto the firewall
and configure them as SSL Exclude Certificates. See Exclude a Server from Decryption. |
SSL Inbound Inspection | The certificate used to decrypt inbound
SSL traffic for inspection and policy enforcement. For this application,
you would import the server certificate for the servers for which
you are performing SSL inbound inspection, or store them on an HSM
(see Store Private Keys on an HSM). |
Table: Palo Alto Networks Firewall Keys
and Certificates
Recommended For You
Recommended Videos
Recommended videos not found.
