Monday, December 30, 2024

Palo Alto Self Signed Certificated ERR_SSL_KEY_USAGE_INCOMPATIBLE

 if you found my page seem that Palo Alto KB doesnt help, dont keep regenerate self signed it doesnt help herewith the steps

For Windows user

Setup Open SSL 

1. download and install open ssl from Shining Light Production (please donate if it helps)


Then Generate CSR Palo Alto KB

1. Complete the Generate the CSR steps

Back to your laptop/pc start to signed the certificate

1. Open CMD with administrator go to the openssl folder example C:\Program Files\OpenSSL-Win64\bin

2.  Type in command -

openssl.exe genrsa -out rootCA.key 2048

3. Type in command -
openssl.exe req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=MY/ST=State/L=City/O=Org/OU=Dept/CN=RootCA"

4. Create an Extensions File. example on the C:\Program Files\OpenSSL-Win64\bin, create a text file name v3_req.txt content as below

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth

save it

5. Download the CSR from Palo Alto and save it to directory openssl bin directory, example C:\Program Files\OpenSSL-Win64\bin

6. type in command just to replace the server.csr to the downloaded CSR name  
openssl.exe x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_req.txt

7. Upload the signed certificate to Palo Alto, make sure the certificated name must exactly same as the generated CSR file name.

Able to solve the issue

Saturday, December 7, 2024

Ping Test Tool

Although there're lots of free ping test tool, I develop my own version ping test tool that suit my troubleshooting purpose. Feel free to download it and feedback to me.

My own version ping test tool with time log on each ping result, this time logging can be disable too. 


herewith the tools

ping test tools





Friday, June 21, 2024

Let start NSE8 !

Let start NSE 8 journey, wondering able to achieve within a year or might not or drag another decade XD.

After going through CCIE - Sec exam roughly understand how the exam going to look like.

Hope my company sponsoring me for this exam as I moved away from Network Security into cloud Security. ahemm FortiSaSe also cloud sec what.



I'm still struggling should release alpha version of Cisco Lina/ASA firewall policy convert tool develop by using company resource (laptop) to public.