https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464852#M2457 <P>Thanks for the reply - i have got two users to go into site and the server team had to remote onto their laptop and do the following&nbsp;</P><P>&nbsp;</P><UL><LI>Start</LI><LI>Manage computer certificates</LI><LI>Personal</LI><LI>Root certificates</LI><LI>… issued by ROOTCA - click on the certificate and renew it&nbsp;</LI></UL><P>Should this not be an automatic thing that happens once a year.&nbsp;&nbsp;</P> Thu, 10 Feb 2022 11:38:28 GMT Kevin-OHare 2022-02-10T11:38:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464617#M2451 <P>Hello,</P><P>&nbsp;</P><P>I have over 1000 users and just this week some users (maybe 10) have not been able to connect to Global Protect from home.&nbsp; I worked out its because their ROOTCA has expired under Manage Certificates on their laptop.&nbsp; Its been working for 2 years and every user seems to have different dates.&nbsp; As far as i know the certificate server on-prem corporate network is supposed to update their certificate periodically.&nbsp; It must have done this at some stage.&nbsp; I am not getting much response from the server team who look after the certificate server and i know the Global Protect users have routing and a the relevant ports open to connect to the cert server.</P><P>&nbsp;</P><P>When a user cant connect he has to drive to the office and connect to the LAN.&nbsp; The the server team issue him a renewed certificate.&nbsp; Then he can go home and connect in again no problems&nbsp;</P><P>&nbsp;</P><P>How do i prove the palo alto is not the problem</P><P>&nbsp;</P><P>thanks, Kevin</P> Wed, 09 Feb 2022 20:21:13 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464617#M2451 Kevin-OHare 2022-02-09T20:21:13Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464734#M2454 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167045">@Kevin-OHare</a>,</P> <P>Ummm ... that actually sounds like a firewall problem to me. Short of something being very oddly configured in Group Policy, I can't see how this isn't an issue with communication between the GlobalProtect clients and your PKI hosts. Sadly you would need your server team to review Group Policy and the PKI server if you don't have access to either, but if its working when a client is on-site it should be working over the GlobalProtect connection.&nbsp;</P> Thu, 10 Feb 2022 03:56:21 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464734#M2454 BPry 2022-02-10T03:56:21Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464852#M2457 <P>Thanks for the reply - i have got two users to go into site and the server team had to remote onto their laptop and do the following&nbsp;</P><P>&nbsp;</P><UL><LI>Start</LI><LI>Manage computer certificates</LI><LI>Personal</LI><LI>Root certificates</LI><LI>… issued by ROOTCA - click on the certificate and renew it&nbsp;</LI></UL><P>Should this not be an automatic thing that happens once a year.&nbsp;&nbsp;</P> Thu, 10 Feb 2022 11:38:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-users-cant-connect-certificate-out-of-date/m-p/464852#M2457 Kevin-OHare 2022-02-10T11:38:28Z