https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ios-certificate-issue/m-p/452010#M2214 <P>Hello,</P><P>&nbsp;</P><P>&nbsp; I’m in the middle of trying to make a gateway for iOS devices and I’m having an issue. I use MobileIron to push out the config and it uses an MI SCEP cert; I’ve added the MI SCEP CA to the PAN device and set it up as the auth profile. If I only do UN/PW I have no issue but as soon as I add cert requirement, the iPhone GP app has an error and if I check the PAN traffic log I see my phone IP traffic behind denied with a session end reason as “decrypt-cert-validation.” &nbsp;Based on what I have been able to read, this might be due to a cert not being X509 compliant.</P><P>&nbsp;</P><P>Can anyone help me understand what specifically is required in the cert or does anyone have any experience with this issue/config?</P><P>&nbsp;</P><P>&nbsp;Thanks in advance.&nbsp;</P> Wed, 08 Dec 2021 01:37:52 GMT COlson 2021-12-08T01:37:52Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ios-certificate-issue/m-p/452010#M2214 <P>Hello,</P><P>&nbsp;</P><P>&nbsp; I’m in the middle of trying to make a gateway for iOS devices and I’m having an issue. I use MobileIron to push out the config and it uses an MI SCEP cert; I’ve added the MI SCEP CA to the PAN device and set it up as the auth profile. If I only do UN/PW I have no issue but as soon as I add cert requirement, the iPhone GP app has an error and if I check the PAN traffic log I see my phone IP traffic behind denied with a session end reason as “decrypt-cert-validation.” &nbsp;Based on what I have been able to read, this might be due to a cert not being X509 compliant.</P><P>&nbsp;</P><P>Can anyone help me understand what specifically is required in the cert or does anyone have any experience with this issue/config?</P><P>&nbsp;</P><P>&nbsp;Thanks in advance.&nbsp;</P> Wed, 08 Dec 2021 01:37:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ios-certificate-issue/m-p/452010#M2214 COlson 2021-12-08T01:37:52Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ios-certificate-issue/m-p/454029#M2231 <P>Hi,</P><P>not sure if this is related to your issue but I had problems with iOS clients when the portal certificate was valid for more than one year.</P><P>I don't have the link at hand, but basically Apple doesn't accept any certificates with a validity longer than one year.</P> Fri, 17 Dec 2021 19:43:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ios-certificate-issue/m-p/454029#M2231 idelconsulting 2021-12-17T19:43:23Z