Monday, December 30, 2024

Palo Alto Self Signed Certificated ERR_SSL_KEY_USAGE_INCOMPATIBLE

 if you found my page seem that Palo Alto KB doesnt help, dont keep regenerate self signed it doesnt help herewith the steps

For Windows user

Setup Open SSL 

1. download and install open ssl from Shining Light Production (please donate if it helps)


Then Generate CSR Palo Alto KB

1. Complete the Generate the CSR steps

Back to your laptop/pc start to signed the certificate

1. Open CMD with administrator go to the openssl folder example C:\Program Files\OpenSSL-Win64\bin

2.  Type in command -

openssl.exe genrsa -out rootCA.key 2048

3. Type in command -
openssl.exe req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=MY/ST=State/L=City/O=Org/OU=Dept/CN=RootCA"

4. Create an Extensions File. example on the C:\Program Files\OpenSSL-Win64\bin, create a text file name v3_req.txt content as below

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth

save it

5. Download the CSR from Palo Alto and save it to directory openssl bin directory, example C:\Program Files\OpenSSL-Win64\bin

6. type in command just to replace the server.csr to the downloaded CSR name  
openssl.exe x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_req.txt

7. Upload the signed certificate to Palo Alto, make sure the certificated name must exactly same as the generated CSR file name.

Able to solve the issue

No comments:

Post a Comment