topic Re: Certificate not valid in General Topics

Certificate not valid

Spiff_21 — Mon, 30 Sep 2024 19:47:32 GMT

I am trying to setup Machine authentication, where it actually validates the machine certificate, I have a PKI infrastructure, that pushes certificates to the machines, with there name in Common Name, and SAN, of the machine hostname.

On they Certificate Profile i have enabled CRL, and added both Root and intermediate CA, and set username to subject, and then i have enabled the 4 "block session" checkmarks.

As soon as i enable the "Block sessions if the certificate was not issued to the authenticating device", i cannot login and GP gives me an error that i need a valid certificate.

I have also tryed adding the domain and Certificate template, but that did not help

Firewall is 1410, running 11.1.4-h1, agent running 6.3.1

Any idear on what i am dooing wrong ?

Re: Certificate not valid

Adrian_Jensen — Tue, 01 Oct 2024 23:45:54 GMT

How are you implementing your client certificates? The Host ID certificate check references a unique ID on the machine retrieved from the GP client and a serial number in the subject of the certificate. You can see the unique IDs it references per host OS in the manual here in the "Host ID" section:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/globalprotect/objects-globalprotect-hip-objects/hip-objects-general-tab

So for a Windows machine the subject has to include the MachineGuid from the registry. It is not the machine name (CN) that most people would make their client certificates from. It is an optional field and basically no one normally creates a cert with a serial number. (Note this is not the serial number of the certificate itself, this is a serial number in the subject of the cert).

So a normal internal machine certificate for machine "mylaptop.example.local" would have a subject like:

CN = mylaptop

OU = EmployeePCs

DC = example

DC = local

I haven't done this before, but I believe you need to create an internal client certificate with a subject like this:

CN = mylaptop

serialNumber = c828ea23-62ab-9a3d-56a90ecb2027

OU = EmployeePCs

DC = example

DC = local

This requires redoing your PKI certificate templates to create the new cert form automatically during your AD joining/etc.

Re: Certificate not valid

Spiff_21 — Wed, 02 Oct 2024 08:11:09 GMT

In what part of of the certificate should this be added to the CN or SAN. the CN can to ny knowledge only contain one name which is usally the FQDN.

if it is added to the SAN, in what format
GUID = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (Like Cisco ISE)

Serial = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Can this be used without HIP ?

Re: Certificate not valid

Spiff_21 — Wed, 02 Oct 2024 11:07:34 GMT

Serial of the machine is usally different from Machine ID, should i use the serial or the Machine ID ? so should it be
host id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ?

Re: Certificate not valid

BeckettJames — Fri, 08 Nov 2024 07:53:05 GMT

Thank you so much for the information.