Install cert on Network Devices?


#1

Does Let’s Encrypt cert be installed on Network Deceives. For example, Palo Alto Firewalls.

Thank you,


#2

Yes, providing the device has a fully qualified domain name.


#3

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/certificate-management/obtain-a-certificate-from-an-external-ca#42761

three is also a chain about cisco ssl vpn


#4

Based on @ahaw021 link, you will be able to create a CSR (Certificate Signing Request) from the device, and you can use the Certbot software (or some other Let’s Encrypt clients) to submit this CSR to Let’s Encrypt. The CSR embodies a list of one or more FQDNs (Fully Qualified Domain Names) for which a certificate is requested, plus the device’s public key which will also be baked into the certificate, plus proof that the device has the private key corresponding to that public key. Certbot (or the other software you choose) will have specific documentation about how to use it when you have a CSR already, which you should read. If the software you want to use doesn’t say anything about how to present a CSR that you already have, it probably can’t be used in your scenario.

The only thing Let’s Encrypt needs besides this is proof that you really control the FQDN mentioned. This proof can be via control over a web server accessible on that FQDN, or through DNS TXT records.

However, because the Palo Alto Networks device needs manual steps during this process, and Let’s Encrypt certificates last only 90 days before expiring, you may decide that it makes more sense to choose a traditional commercial CA in order that you only need to renew certificates every year or two. If you decide that Let’s Encrypt would have suited your purposes except that the product’s manual renewal steps were a problem I encourage you to mention this to product vendors when you’re next in the market for a device that can use SSL certificates. On the other hand, tasks done every 8-10 weeks do have the advantage that somebody will probably document them and train their replacement how to do them. We do see situations where a company buys a two year certificate for something and then two years later nobody in the company knows how to replace it, and they get in a pickle.


Installing certificate for PAN-OS 8.0/8.1
#5

Oh. The other thing that sometimes might matter here is if you use this Device for a MITM proxy, which might have some nicer name like SSL Decryption or Web Gateway. This is only one possible use for a Palo Alto Networks device, but it bears mention.

In this mode the device impersonates other people’s systems, and so it needs to produce certificates for their names, not (just) yours. Let’s Encrypt will not be willing to help you do this, nor will any other legitimate public CA in the Web PKI. You can create your own CA for the purpose, or a company-wide CA can be used (e.g. corporate software from Microsoft, Red Hat that sort of thing can manage such a CA) to issue a subCA, and tools like Windows Group Policy are used to force all company computers to trust these otherwise untrustworthy certificates.


#6

Thank you all for responding, Great Answers !


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.