topic Re: Any idea about 3rd party verisign certificate with GlobalProtect ? in General Topics

Any idea about 3rd party verisign certificate with GlobalProtect ?

Retired Member — Mon, 30 Jul 2012 13:20:47 GMT

We were using sslvpn with PA 's certificate.Now we bought 3rd party cert. from Verisign and imported it as using server certificate

But Global Protect gives an error as "Protocol Error: Check server sertificate"

I have searched KnowledgePoint but could not find anything for this error.

Any idea ?

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Mon, 30 Jul 2012 17:39:16 GMT

I think I've had the same problem. PAN's documentation, and what others tell you to do is inaccurate. I happened to stumble on this forum thread, https://live.paloaltonetworks.com/thread/4054 and found this answer to be very helpful instead of generating a plain cert on the PA-FW, use your purchased cert instead:

1) Generate a plain Cert in Palo Alto(Not signed and not a Certificate Authority)
2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert you made in step 1.
3) Move to Client Configuration tab > Delete any Root CA's that are set.
4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you created in step 1.  Set "Client Certificate Profile to "None".

I was getting a very similar error doing it any other way, but this seemed to fix the problem.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Retired Member — Tue, 31 Jul 2012 00:59:17 GMT

Thanks for help but where is the cert that I have bought ? I could not find it at your answer.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Tue, 31 Jul 2012 15:36:21 GMT

This is typically provided to you either by an email or at time of purchase through the web browser. You would save it to notepad and save it to a .crt file. Then you upload the cert to Device->Certificates

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Retired Member — Tue, 31 Jul 2012 15:58:57 GMT

I know that.I have the file already.You mean the solution is like this :

1) Upload cert. you bought
2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None". Set "Server Certificate" to the Cert you uploaded
3) Move to Client Configuration tab > Delete any Root CA's that are set.
4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".

is this the solution ? Because I will try it tomorrow

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Tue, 31 Jul 2012 16:03:02 GMT

Correct. Assuming that is what you are trying to accomplish. Presenting the VPN portal in a way that does not give a certificate warning.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Retired Member — Tue, 31 Jul 2012 16:06:41 GMT

Thanks.I will try and write back.Thank you.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Retired Member — Thu, 02 Aug 2012 13:43:14 GMT

I tried that.Not selecting any client certificate fixed the problem.Thank you very much.

I wonder if we want to use client certificate also, what steps will we do.

Thank you for help

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Thu, 02 Aug 2012 16:24:19 GMT

The Client cert depends on how you want to setup that. We use AD in our environment, so we generate user certificates from our AD CA. You can generate a signed cert within the PA too and use that.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Retired Member — Thu, 02 Aug 2012 16:28:46 GMT

ok.I understand AD.

can we use the certificate that we bought for clients also ?(it is wildcard cert)

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Wed, 15 Aug 2012 04:59:35 GMT

You may be able to, but I don't know how to configure that. We used AD CA certs, it was easier. To sign individual certs with the purchased one, I don't think you can do that.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

SistemasCajamar — Sat, 16 Feb 2013 00:50:52 GMT

Hello

How did you generate user certificates from AD?

Which template did you use?

Did you generate a Gateway Certificate too?

Thanks

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Wed, 20 Feb 2013 16:03:43 GMT

User certificates were created from Window's Server Cert Authority - we obtain user certs this way https://domaincontroller/certsrv since that is where our certificate authority is as the moment. If you are logged in with the user then they just simply walk through the process and it add's it to their machine.

I'm not sure I understand the Gateway cert question, we generated a third party cert and specified both in the portal / gateway this cert for our server cert. I also had to use our internal root cert to handle the user cert authentication.

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

SistemasCajamar — Fri, 22 Feb 2013 09:02:05 GMT

Hello

My question is about the type of certificate you have to issue as there are several templates on the Windows CA

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

cmateam — Sat, 23 Feb 2013 14:13:45 GMT

I believe all you need is a user certificate. When going to the certsrv in a web browser, logging in with the user name/password - for us just generates a user certificate.