Nearly all of my certs are certified by the windows domain CA, even if I have a registration authority (RA) on my PAN firewall - I only use it for local services like GP and others. Some of you might have a Lab-In-A-Box environment and/or want to use the local windows server for certificate maintenance like I do. Now restart the browser session and you should not receive an untrusted error, if the root CA that signed the certificate is installed correctly on your machine.$ sudo openssl rsa -in minemeld1.cer -out -out /etc/nginx/minemeld.pem $ cat cert_minemeld.pem | awk 'split_after=1' $ sudo cp minemeld.cer /etc/nginx/minemeld.cer NOTE: Please note that there might be a error with sudoing the refers to missing entries in the /etc/hosts file, as the hostname is not automatically added to this file The file is readable so you can copy and paste the sections into two different files or use the CLI commands: This is how I did it, you may have a better way. The pem file that you generated will have both the private and public key so you need to split the two.$ sudo mv /etc/nginx/minemeld.pem /etc/nginx/minemeld.pem-orig $ sudo mv /etc/nginx/minemeld.cer /etc/nginx/minemeld.cer-orig Ssh Now backup the current certificates in case you need to revert back to them if something goes wrong > scp cert_minemeld.pem Now, log into MineMeld via ssh with the command: Now copy the cert to minemeld with the command:.Then use "Base64 Encoded Certificate (PEM)" and also select "Export private key" and click OK. Export the pem file with the private key by clicking the certificate you want to export and clicking Export at the bottom of the screen.Ensure that it is signed by the firewall by clicking "Certificate Authority". At the bottom of the screen, click Generate, to create a new certificate.Device > Certificate Management > Certificate.Go to your Palo Alto Network Firewall or Panorama WebGUI.If you are using your Palo Alto Networks firewall as a trusted root CA, you can generate a web server certificate for MineMeld to replace the self-signed one.
0 kommentar(er)
