topic Self-Signed Certificate Issues in General Topics

Self-Signed Certificate Issues

GWynn — Fri, 10 Nov 2023 01:56:34 GMT

Hello everyone,

I am trying to make a self-signed cert for use with Global-Protect in my lab. I go into Device, Certificates, Generate, give the cert a name, Root_GP_Cert, common name of 192.168.189.155 which is the WAN side IP Address. Click the Certificate Authority box and click ok. Then I click on Generate again, this time I use a different name, common name is 192.168.189.155 and I select the Root_GP_Cert in the Signed By drop-down box and I give a Certificate Attribute of IP Address 192.168.189.155 but it gives me the error of: Failed to insert certificate into configuration. Only self signed CA certificates can have identical subject and issuer fields.

I watch youtube videos and follow along, works for them, not for me! Suggestions? Really easy but can't figure it out! Thanks - Geoff

Re: Self-Signed Certificate Issues

rmfalconer — Fri, 10 Nov 2023 21:33:37 GMT

You need to get the naming convention correct. If you create a root authority on the PA, make the CN something like firewall.domain_root_ca.domain.com. Then when you click on it, you'll see the CN and issuer are the same. No other cert can have the name firewall1.domain.com_root_ca.domain.com or it will conflict with the common name of the root.

After you create the issuing authority, it can issue the cert you want to use for testing with the IP address as the CN.

Do you not have internal PKI that can issue certificates for use on the PA? Whatever endpoint you'll use for testing won't trust the certificate bound for GP unless you export the root certificate from the PA and import on your test machine.

Re: Self-Signed Certificate Issues

GWynn — Sun, 12 Nov 2023 05:51:25 GMT

Hello @rmfalconer you are (as you know) correct! I watched a Beacon Module on this last night. Yes I was doing it wrong, even though on youtube I was following along. In any case, may thanks for replying and pointing me in the right direction!