https://live.paloaltonetworks.com/t5/general-topics/vpn-gateway-fails-to-authenticate-clients-with-new-certificate/m-p/1238006#M125139 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1339137399">@m.shah.alizada2000</a>&nbsp;,</P> <P>&nbsp;</P> <P>I see you mentioned you had combined the&nbsp;<SPAN>main cert the two intermediate certs, the root cert and the private key into one pfx (pkcs12) file. However, in your screenshot, I see the root cer, int certs, and wildcard is separate.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Are you saying your SEC360 wildcard cert is the result of this? You already look to have the cert chain imported individually and that looks correct as the root ca is at the top with the intermediate certs within the root ca.&nbsp;<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>Try splitting the bundle so your wildcard is its own cert with the private key.&nbsp;Once that’s done, attach the wildcard cert to your SSL/TLS service profile that you use for the Portal/GW config.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 16 Sep 2025 01:00:38 GMT JayGolf 2025-09-16T01:00:38Z https://live.paloaltonetworks.com/t5/general-topics/vpn-gateway-fails-to-authenticate-clients-with-new-certificate/m-p/1237670#M125100 <P>Dear all,</P> <P>&nbsp;</P> <P>We have a Palo Alto VPN gateway at our office, where our clients and customer’s Palo Alto connects to!</P> <P>Our certificate at one of our customers site has expired and the vpn connection is down and hence to the isp!</P> <P>&nbsp;</P> <P>Now I have generated a private key, using that I have generated a CSR sent the CSR to the CA and they have returned the public cert back to me!</P> <P>&nbsp;</P> <P>I used OpenSSL to combine the main cert the two intermediate certs, the root cert and the private key into one pfx (pkcs12) file!</P> <P>&nbsp;</P> <P>Then I uploaded the certs (pfx cert, root and intermediate certs) into the Palo Alto.</P> <P>Now this is what I did. I uploaded the cert into the vpn gateway and client can’t connect ( I wanted to test and see if this works in the gateway then should be working in the client Palo Palo).</P> <P>&nbsp;</P> <P>But this completely failed.</P> <P>can any one help me figure this out please???</P> <P>&nbsp;</P> <P>There are two attachment I have uploaded one of them is the client expired cert and the other one is the my machine failing to authenticate with the vpn gateway!</P> <P>&nbsp;</P> <P>please help I need it by this Friday!</P> <P>&nbsp;</P> <P>#paloalto</P> <P>#certificate</P> <P>#vpngateway</P> Wed, 10 Sep 2025 17:14:15 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-gateway-fails-to-authenticate-clients-with-new-certificate/m-p/1237670#M125100 m.shah.alizada2000 2025-09-10T17:14:15Z https://live.paloaltonetworks.com/t5/general-topics/vpn-gateway-fails-to-authenticate-clients-with-new-certificate/m-p/1238006#M125139 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1339137399">@m.shah.alizada2000</a>&nbsp;,</P> <P>&nbsp;</P> <P>I see you mentioned you had combined the&nbsp;<SPAN>main cert the two intermediate certs, the root cert and the private key into one pfx (pkcs12) file. However, in your screenshot, I see the root cer, int certs, and wildcard is separate.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Are you saying your SEC360 wildcard cert is the result of this? You already look to have the cert chain imported individually and that looks correct as the root ca is at the top with the intermediate certs within the root ca.&nbsp;<BR /></SPAN></P> <P>&nbsp;</P> <P><SPAN>Try splitting the bundle so your wildcard is its own cert with the private key.&nbsp;Once that’s done, attach the wildcard cert to your SSL/TLS service profile that you use for the Portal/GW config.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 16 Sep 2025 01:00:38 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-gateway-fails-to-authenticate-clients-with-new-certificate/m-p/1238006#M125139 JayGolf 2025-09-16T01:00:38Z