Certificate Auth Notes

Remove PEM Password

You can use the openssl rsa command to remove the passphrase. As arguments, we pass in the SSL .key and get a .key file as output.

openssl rsa -in fplabs_with_pass.key -out fplabs.key

DDR cert auth notes

SSL forward proxy certificate signing

sudo openssl ca -config paloCAopenssl.cnf -extensions v3_intermediate_ca -days 3750 -notext -md sha256 -in intermediate/csr/ssl-lab20.csr -out intermediate/certs/ssl-lab20.crt

sudo openssl ca -config paloCAopenssl.cnf -extensions v3_intermediate_ca -days 3750 -notext -md sha256 -in intermediate/csr/cert_Palo_SSL_outbound.csr -out intermediate/certs/Palo_SSL_outbound.crt


This is what should be used

Creating proxy certificates

Creating proxy certificates can be done using the openssl-x509(1) command, with some extra extensions:

[ proxy ]

# A proxy certificate MUST NEVER be a CA certificate.

basicConstraints = CA:FALSE

# Usual authority key ID

authorityKeyIdentifier = keyid,issuer:always

# The extension which marks this certificate as a proxy

proxyCertInfo = critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB

ref; https://www.openssl.org/docs/manmaster/man7/proxy-certificates.html