https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23802#M17357 <HTML><HEAD></HEAD><BODY><P>What dose that error mean?</P><P></P><P>Im trying to get a simple certificate from an w2k8 server CA to use in the Global Protect.</P><P></P><P>The Secure WebGui certificate works fine.</P><P></P><P></P><P>Thx in adavanced.</P></BODY></HTML> Thu, 12 Apr 2012 18:14:51 GMT PoTski 2012-04-12T18:14:51Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23802#M17357 <HTML><HEAD></HEAD><BODY><P>What dose that error mean?</P><P></P><P>Im trying to get a simple certificate from an w2k8 server CA to use in the Global Protect.</P><P></P><P>The Secure WebGui certificate works fine.</P><P></P><P></P><P>Thx in adavanced.</P></BODY></HTML> Thu, 12 Apr 2012 18:14:51 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23802#M17357 PoTski 2012-04-12T18:14:51Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23803#M17358 <HTML><HEAD></HEAD><BODY><P>I found the answer after alot of researching.</P><P></P><P>The problem is in in certificate signature algorithm.</P><P></P><P>When we set up the intermediate server we choose to use RSA512 as a signature algorithm. As it turns out the PA v4.1.5 dose not support RSA512.</P><P></P><P>If you are running a windows CA and need to change the signature algorithm. See the following url.</P><P><A href="http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/568ef7b7-5cad-4225-b35a-4630a57a3ac5">http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/568ef7b7-5cad-4225-b35a-4630a57a3ac5</A></P><P></P><P></P><P>Regards</P><P>PoTski</P></BODY></HTML> Fri, 13 Apr 2012 10:42:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23803#M17358 PoTski 2012-04-13T10:42:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23804#M17359 <HTML><HEAD></HEAD><BODY><P>Thanks for the update.&nbsp; Was looking at using SSL inspection via our CA.&nbsp; We used 512RSA to stop Google Chrome moaning about being signed unsecurely when running MD5. Have already uninstalled and re-installed our CA to get this working, don't fancy the reg hack though.</P><P></P><P>Don't suppose you know if this is fixed in 4.1.6?</P></BODY></HTML> Thu, 05 Jul 2012 13:07:41 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23804#M17359 pg_itdept 2012-07-05T13:07:41Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23805#M17360 <HTML><HEAD></HEAD><BODY><P>Isnt RSA512 just really bad?</P><P></P><P>At least use 1024 if your have performance concerns.</P><P></P><P>FIPS 140-2 states one should use 2048 while EU-CRYPTII says something like at least 2444 bits for assymetric encryption (in reality 4096 is the next step).</P><P></P><P>A true CA should use as high encryption as possible for example 16384 where the issued certs uses 4096 or such.</P></BODY></HTML> Fri, 06 Jul 2012 12:38:24 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate-error-certificate-certname-failed-to/m-p/23805#M17360 mikand 2012-07-06T12:38:24Z