: Multiple Certificate Support for SSL Inbound Inspection
Focus
Focus

Multiple Certificate Support for SSL Inbound Inspection

Table of Contents

Multiple Certificate Support for SSL Inbound Inspection

You can add a new certificate to your SSL Inbound Inspection decryption rule while an old certificate is still valid.
You can now configure SSL Inbound Inspection policy rules with up to 12 server certificates. Newly added support for multiple certificates enables you to update certificates on your protected servers without decryption downtime. You can also configure rules to decrypt and inspect traffic to servers that host multiple domains, each with a different certificate.
To ensure a valid certificate is always available, import the new server certificate and key on your firewall and add it to your Decryption policy rule before updating your web server. The firewall uses the old but valid server certificate to proxy the connection between the client and your internal server to decrypt and inspect inbound SSL/TLS traffic. After you install the new certificate on your server, the firewall will use it for new SSL/TLS connections as long as the certificate in your SSL Inbound Inspection policy rule matches the server certificate. If a certificate mismatch occurs, the session ends, and the Decryption log entry reports the session-end reason as a firewall and server certificate mismatch.
(Panorama ) Support for multiple certificates in SSL Inbound Inspection policy rules is unavailable in PAN-OS versions earlier than 10.2. If you push an SSL Inbound Inspection policy rule with multiple certificates from a Panorama management server running PAN-OS ® 10.2 to a firewall running an earlier version, only one certificate is preserved in the policy rule on the firewall.
Before pushing your Decryption policy rule from Panorama, we recommend you set up different templates or device groups for firewalls running PAN-OS 10.1 and earlier to ensure you push the correct policy rule and certificate to the appropriate firewalls.
Perform the following steps to update your firewall and SSL Inbound Inspection rule with a newly issued server certificate.
  1. Import the new certificate and private key for the internal server whose inbound SSL traffic you want to decrypt and inspect to the firewall.
    Depending on the TLS version in use, you may need to upload the end-entity (leaf) certificate as part of a certificate bundle (single file) to the firewall to prevent server certificate validation errors.
  2. Add the certificate to your Decryption policy rule, then click OK.
    Upon clicking OK, the firewall automatically sorts the certificates alphabetically.
  3. Commit your changes.
  4. When you are ready...
    1. Load your web server with the new certificate.
    2. (Best Practice) Remove expired or otherwise invalid certificates from your Decryption policy rule and the firewall.