Nginx Proxy Manager (NPM) is an open-source Docker image that lets you run a reverse proxy and can even handle SSL certificates for you using Let’s Encrypt. It’s great when you can’t use a Cloudflare Tunnel or an Entra App Proxy. I’ve been using Nginx Proxy Manager for a while now, and it’s been perfect…
An issue I’ve run into on Palo Alto Networks firewalls is that everything seems to work when importing a certificate (usually a PFX). Until you start using the certificate, then after a validation or a commit, there’s a warning that the certificate chain is not correctly formed. Warning: certificate chain not correctly formed in certificate…
Sometimes, you have a certificate in PEM format as a CRT file (also called a CER file) with a key file (also called a PEM file), and you need to combine and convert them into a PFX certificate. In this post, I will show you step-by-step how to convert a PEM certificate into a PFX…
There are many ways to generate a CSR (Certificate Signing Request). In this post, I will show you step-by-step how to generate a CSR using OpenSSL. Prerequisites The Process I will be using C:\SSL as my working directory. I will be using Microsoft Windows with Windows Terminal and PowerShell. In my example, I will name my private…
There are a few ways to grant external access to an internal application without doing any port forwarding. The way to do this in Microsoft’s world is through an Entra Application Proxy. The name is a bit of a mess, as Microsoft renamed the Microsoft Entra application proxy program to Microsoft Entra private network connector.…
On November 18th, 2024, the certificates that the Palo Alto User-ID agent and the Palo Alto Terminal Server agent use to communicate with a Palo Alto firewall will expire, causing all communication to fail. Palo Alto Networks has made new versions of the User-ID and TS agents with updated certificates that will expire on January…
Palo Alto Networks firewalls often require a device certificate. A device certificate is needed for items like device telemetry and for some of the CDSS (Cloud-Delivered Security Services) items, such as WildFire, DNS and URL filtering, and others. In this post, I show you step-by-step how to check if a device certificate is installed and…
Inspecting TLS/SSL traffic on corporate networks is very common, as over 80% of all web traffic is encrypted. If you aren’t performing TLS/SSL traffic inspection, you are potentially leaving your network exposed. The simple act of inspecting SSL connections helps reduce your attack surface. SSL inspection can make it harder to establish malicious outbound connections,…
Certificate chain issues are extremely widespread and more common than you think. You start to see how many websites have broken certificate chains when you start performing SSL inspection on a network. If you want to read more about certificate chains, my post Certificate Chain goes into more detail. My website, thedxt.ca, has a server…
This post will explain the main components of a certificate and how they contribute to a certificate chain. A certificate chain consists of three main components: Root CA A root CA is the most trusted source of authority for certificates. It is the first link in a certificate chain, and all certificates are issued by…
