https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590490#M117629 <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;if this is an existing deployment with nothing new it seems odd that this error is just randomly occurring.&nbsp; At face value there's 2 things going on here.&nbsp; Either the certificate being presented by the firewall isn't trusted by the machine that's trying to connect to the VPN (meaning you are missing at least one of the following in the local machine cert store:&nbsp; root, intermediate, or issuer.)&nbsp; Option 2 is the certificate is expired and inherently will be untrusted.</P> <P>&nbsp;</P> <P>There are be other more intricate issues like&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;mentioned with the cert name not matching the SN/SAN (subject alternative name)&nbsp; -- This wouldn't make sense though to "just have broken" with nothing else being changed.</P> Wed, 26 Jun 2024 14:21:21 GMT Brandon_Wertz 2024-06-26T14:21:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590350#M117603 <P>Hi All,</P> <P>&nbsp;</P> <P>I am new to this community I am here to get some help on a issue I am experiencing with my organization vpn network gp vpn server certificate is not trusted.</P> <P>Here is the error screenshot.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 294px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60496iD4863806A967E2A5/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="image.png" alt="image.png" /></span></P> <P>Any help to troubleshoot this issue would be greatly appreciated <span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> <P>&nbsp;</P> <P>Regards</P> <P>Sanjib</P> Tue, 25 Jun 2024 18:27:23 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590350#M117603 Sanjib1549 2024-06-25T18:27:23Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590355#M117604 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/303416993">@Sanjib1549</a>,</P> <P>I'm assuming that this is a new configuration and not an existing configuration. You'll either need to get a certificate that is signed by a public trusted certificate authority, an internal certificate authority trusted by your endpoints, or utilize a self-signed certificate and deploy out the certificate to your endpoints.</P> <P>I don't recommend utilizing an IP for VPN personally and would recommend setting up an FQDN, but if you're going to utilize an IP it needs to be listed as a SAN for modern browsers to accept it as well. I wouldn't recommend relying solely on IP instead of a DNS entry in a production environment however.</P> Tue, 25 Jun 2024 19:26:49 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590355#M117604 BPry 2024-06-25T19:26:49Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590470#M117626 <P>Thanks for your assistance it is actually not a new configuration I am actually need some references article or documents if I can get a that will be helpful.</P> <P>&nbsp;</P> <P>Regards</P> <P>Sanjib</P> Wed, 26 Jun 2024 12:29:23 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590470#M117626 Sanjib1549 2024-06-26T12:29:23Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590490#M117629 <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;if this is an existing deployment with nothing new it seems odd that this error is just randomly occurring.&nbsp; At face value there's 2 things going on here.&nbsp; Either the certificate being presented by the firewall isn't trusted by the machine that's trying to connect to the VPN (meaning you are missing at least one of the following in the local machine cert store:&nbsp; root, intermediate, or issuer.)&nbsp; Option 2 is the certificate is expired and inherently will be untrusted.</P> <P>&nbsp;</P> <P>There are be other more intricate issues like&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;mentioned with the cert name not matching the SN/SAN (subject alternative name)&nbsp; -- This wouldn't make sense though to "just have broken" with nothing else being changed.</P> Wed, 26 Jun 2024 14:21:21 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-vpn-server-certificate-error/m-p/590490#M117629 Brandon_Wertz 2024-06-26T14:21:21Z