https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561393#M4505 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/3296">@emr_1</a>&nbsp;Thank you for your reply</P> <P>&nbsp;</P> <P>A number of customers are experiencing the symptom now, and i have checked the certificate based on the information you provided.</P> <P>&nbsp;</P> <P>All certificates verified as version3.</P> <P>&nbsp;</P> <P>Therefore, I believe there is another cause for this problem.</P> <P>&nbsp;</P> <P>If there is any further confirmation, I will update this ticket.</P> Thu, 12 Oct 2023 07:29:19 GMT KyungjunCHOE 2023-10-12T07:29:19Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561370#M4503 <P>Dear Team,&nbsp;</P> <P>&nbsp;</P> <P>Among models using Android 13, kernel 5.4 or 5.15, a certificate error appears to occur when connecting to the GP.</P> <P>&nbsp;</P> <P>I confirmed with TAC that I need to use version 3 certificate.</P> <P>&nbsp;</P> <P>However, many customers are using Paloalto's own CA certificate.</P> <P>&nbsp;</P> <P>Is there a way to create a v3 certificate in Paloalto?</P> Thu, 12 Oct 2023 04:28:20 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561370#M4503 KyungjunCHOE 2023-10-12T04:28:20Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561382#M4504 <P>I believe default setting is to generate v3 certificate.</P> <P>Here is my test result with PAN-OS 9.1.12</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Image 001.png" style="width: 655px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54351i1B42E92ED2E3A6D3/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Image 001.png" alt="Image 001.png" /></span></P> <P>&nbsp;</P> <P>After export this cert, check with openssl command:</P> <P>====</P> <P>user@dom:~$ openssl x509 -text -noout -in ./cert_testcert.crt<BR />Certificate:<BR />Data:<BR /><FONT color="#FF0000"><STRONG>Version: 3 (0x2)</STRONG></FONT><BR />Serial Number: 3359397260 (0xc83c558c)<BR />Signature Algorithm: sha256WithRSAEncryption<BR />Issuer: CN = testca<BR />Validity<BR />Not Before: Oct 12 05:21:15 2023 GMT<BR />Not After : Oct 11 05:21:15 2024 GMT<BR />Subject: CN = testcert.local<BR />Subject Public Key Info:<BR />Public Key Algorithm: rsaEncryption<BR />RSA Public-Key: (2048 bit)<BR />Modulus:<BR />00:9d:a6:2c:d8:de:f8:2d:4f:5f:f0:cc:3f:0c:da:<BR />0f:7d:25:fa:03:1b:8c:6e:bd:59:52:9d:24:44:86:<BR />57:fb:d7:f7:b1:cc:21:44:be:d5:cc:80:fd:4e:e4:<BR />ca:01:3e:dd:c6:f1:18:8e:46:a2:d7:22:6d:93:35:</P> <P>..snip..</P> <P>====</P> Thu, 12 Oct 2023 05:31:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561382#M4504 emr_1 2023-10-12T05:31:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561393#M4505 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/3296">@emr_1</a>&nbsp;Thank you for your reply</P> <P>&nbsp;</P> <P>A number of customers are experiencing the symptom now, and i have checked the certificate based on the information you provided.</P> <P>&nbsp;</P> <P>All certificates verified as version3.</P> <P>&nbsp;</P> <P>Therefore, I believe there is another cause for this problem.</P> <P>&nbsp;</P> <P>If there is any further confirmation, I will update this ticket.</P> Thu, 12 Oct 2023 07:29:19 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/561393#M4505 KyungjunCHOE 2023-10-12T07:29:19Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/565905#M4630 <P>Previously, customers could use GP with only a root certificate.</P> <P>&nbsp;</P> <P>However, due to the latest security patch in Android, GlobalProtect can no longer be used as a root certificate.</P> <P>So please refer to the information below:</P> <P>&nbsp;</P> <P>- Symptom: Unable to access GP on some Android 13 models</P> <P>- Cause: It is expected that certificate-related security policies have been strengthened and changed on the Android side.</P> <P>- Solution: When creating a Paloalto certificate, separate the root cert and server cert according to the recommended guide.</P> <P>&gt; Related URL: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFoCAK" target="_blank">Certificate config for GlobalProtect - (SSL/TLS, Client cert pr... - Knowledge Base - Palo Alto Networks</A></P> Thu, 16 Nov 2023 02:01:30 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/565905#M4630 KyungjunCHOE 2023-11-16T02:01:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/586594#M5350 <P>Hello <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/311720">@KyungjunCHOE</a>&nbsp;</P> <P>On android device should we upload the certificate as well to work?</P> Tue, 14 May 2024 06:42:50 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-version-3-certificate/m-p/586594#M5350 KhaleelE 2024-05-14T06:42:50Z