Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

tamilvanan — Wed, 27 Oct 2021 08:09:25 GMT

Hi Folks,

Our GP VPN Portal and Gateway Certificate had expired recently. When we created an new self signed certificate on Palo Alto firewall and mapped it to GP VPN Portal and Gateway.

We are able to connect to portal and Gateway and it is working fine for windows and Android device.

But when we try to connect to GP Portal through IOS device we are successfully authenticated into the portal but not able to connect to Gateway.

Checked the GP Logs collected from the Apple IOS Device and could see the Portal authentication is being succeeded and connected. HIP report is also being send by the IOS device but the IOS device is not establishing connectivity to the Gateway and showing the below error:

{
Certificate = "<cert(0x105829a00) s: x.x.x.x i: x.x.x.x>";
Property = {
type = error;
value = "Policy requirements not met.";
};
}
)}
connectTimeout: 5
receiveTimeout: 30
responseData(0):

P1363-T14087 10/21/2021 18:14:07:926 Debug( 482): error detail is Server cert verification failed
P1363-T14087 10/21/2021 18:14:07:926 Info ( 305): Session <__NSURLSessionLocal: 0x104c4f2e0> set to (null)
P1363-T14087 10/21/2021 18:14:07:926 Debug( 331): m_errorDetails is Server cert verification failed.

Checked some documentation and came to know IOS device will only establish connectivity with an server if the certificate met some requirements set by apple.

GLOBAL PROTECT DOESN'T CONNECT IN IOS 13 AND MACOS 10.15 DUE TO" SERVER CERTIFICATE VERIFICATION FAILED":

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HB5rCAG

Requirements for trusted certificates in iOS 13 and macOS 10.15(Apple Documentation)
https://support.apple.com/en-in/HT210176

Is there any idea on how to create an self signed certificate on Palo Alto firewall that will be compactible with IOS 15 and 14 device certificate requirements ?

Thanks in advance!!

Re: Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

Abdul-Fattah — Wed, 27 Oct 2021 11:55:48 GMT

make sure your self-signed comply with this also:
https://support.apple.com/en-us/HT211025
you can make the self-signed root CA trusted under your IOS device settings: Settings > General > About > Certificate Trust Settings then enable full trust for that CA.

Re: Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

darrengayler — Tue, 21 Dec 2021 18:54:15 GMT

Ensure that the SSL cert has a SAN (Host Name in Certificate attributes) that matches the CN/FQDN. Make sure the Cert follows Apple's req's, including the validity <=825 days. Add the Root Certificate to the Apple device trust store (you can email yourself the root cert and open it on the iPhone to get it into your trust store via profiles). Then Follow Abdul-Fattah's recommendation to trust the self-signed Root.

topic Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall in GlobalProtect Discussions

Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

Re: Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

Re: Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall