https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27059#M19769 <HTML><HEAD></HEAD><BODY><P>I think you have to chain the certificat on the paloalto</P><P></P><P>see <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1937">https://live.paloaltonetworks.com/docs/DOC-1937</A></P><P></P><P>page 32 you could find an example to chain the certificat</P><P></P><P>and on your device you need to install the trust root CA and the intermediate</P><P>you could obtain more information about your issue if you activate the troubleshooting on the global protect agent on your user device.</P></BODY></HTML> Thu, 20 Jun 2013 11:47:52 GMT Gregoux 2013-06-20T11:47:52Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27051#M19761 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>I had tested to connect global protect with client cert successful in my lab.(PANOS-5.0.x)</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">I am installing global protect on my custom device.(PANOS-5.0.x)</SPAN></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">But I don't connect with 'client cert invalid' message.</SPAN></P><P></P><P>I had installed the following in my lab at old days.</P><P><IMG alt="1.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/6989_1.png" /></P><P>1. self generated certificate.</P><P><IMG alt="2.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/6990_2.png" width="450" /></P><P>2. subject &gt; common-name. profile name is 'test'</P><P>3. Portal configuration (authentication profile : local DB , client certificate : none , certificate profile : none)</P><P>4. Gateway configuration (authentication profile : none , certificate profile : 'test')</P><P>5. import certificate into my laptop.</P><P>6. connecting GP -&gt; portal auth localdb(id/pw) successful -&gt; gateway auth client cert(username : uquest) successful </P><P></P><P>I am installing the following in my custom device.</P><P>1. FW is imported certificate issuer by window CA server.</P><P>&nbsp;&nbsp; subject : /C=KR/ST=Seoul/O=paloalto/OU=paloalto/CN=pa.paloalto.co.kr</P><P>&nbsp;&nbsp; issuer : /DC=local/DC=paloalto/CN=paloalto-CA</P><P>2. certificate profile : name 'test01' </P><P>&nbsp;&nbsp;&nbsp; username field - subject&nbsp; - common name</P><P>&nbsp;&nbsp;&nbsp; domain : pa.paloalto.co.kr</P><P>3. Portal configuration (authentication profile local DB , client certificate : none , certificate profile : none)</P><P>4. Gateway configuration (authentication profile : none , certificate profile : 'test01')</P><P>5. import certificate into my laptop.</P><P>6. connecting GP -&gt; portal auth localdb(id/pw) successful -&gt; gateway auth client cert(username : none) fail.</P><P>&nbsp;&nbsp;&nbsp; Error message is client cert invalid.</P><P><IMG alt="3.png" class="jive-image-thumbnail jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/6991_3.png" width="450" /></P><P></P><P>I don't know what missed configuration and problem.</P><P>Please let me know resolved way.</P><P>Thanks.</P></BODY></HTML> Wed, 19 Jun 2013 13:34:03 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27051#M19761 KiCheon.Lee 2013-06-19T13:34:03Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27052#M19762 <HTML><HEAD></HEAD><BODY><P>did you see that <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1934">https://live.paloaltonetworks.com/docs/DOC-1934</A></P></BODY></HTML> Wed, 19 Jun 2013 15:16:52 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27052#M19762 Gregoux 2013-06-19T15:16:52Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27053#M19763 <HTML><HEAD></HEAD><BODY><P>in step 3 <SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">3. Portal configuration (authentication profile local DB , client certificate : none , certificate profile : none)</SPAN></P><P>you forgot certificat profile </P></BODY></HTML> Wed, 19 Jun 2013 15:19:57 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27053#M19763 Gregoux 2013-06-19T15:19:57Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27054#M19764 <HTML><HEAD></HEAD><BODY><P>Hello gregory.screve1,</P><P>Thank you for your help.</P><P></P><P>I had seen this document your recommend.</P><P>I have modified certificate profile in portal configuration.</P><P>But I don't still connect GP with same error message.</P><P>Please let me know other resolved way.</P></BODY></HTML> Thu, 20 Jun 2013 08:06:30 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27054#M19764 KiCheon.Lee 2013-06-20T08:06:30Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27055#M19765 <HTML><HEAD></HEAD><BODY><P>In your portal config / Client Configuration, Have you well configure your Trusted root CA ?</P><P>Have you got either error or warning during commit ?</P><P></P><P>V.</P></BODY></HTML> Thu, 20 Jun 2013 09:13:43 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27055#M19765 VinceM 2013-06-20T09:13:43Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27056#M19766 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">see <A _jive_internal="true" href="https://live.paloaltonetworks.com/message/26851#26851">https://live.paloaltonetworks.com/message/26851#26851</A><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">If you use a self-signed or in-house cert, this feature prevents the client from getting an 'untrusted issuer' prompt when connecting to that gateway. If you are using a public CA with your gateway, you won't need to use this feature.</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">you need to define the CA root like that only if you use a trust&nbsp; root Ca that is not deployed on your client machine.</SPAN></P><P><SPAN style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; background-color: #ffffff;">even you need it it doesn't block yours connection attempt, just a warning.<BR /></SPAN></P></BODY></HTML> Thu, 20 Jun 2013 10:12:58 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27056#M19766 Gregoux 2013-06-20T10:12:58Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27057#M19767 <HTML><HEAD></HEAD><BODY><P>Hello VinceM,</P><P></P><P>Thank you for your information.</P><P>I have installed to choose client certificate in portal config / Client configuration / Trust Root CA.</P><P>But result is same. I don't connect GP with same error message.</P><P></P><P>I guess that FW does not read common name in certificate.</P></BODY></HTML> Thu, 20 Jun 2013 10:32:45 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27057#M19767 KiCheon.Lee 2013-06-20T10:32:45Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27058#M19768 <HTML><HEAD></HEAD><BODY><P>I had imported intermediate certificate for client certificate to FW.</P><P>My customer sent only this certificate issuer by private Window CA.</P><P>Do I need root certificate? Then Will I have to configure root certificate in portal config / Client configuration / Trust Root CA????</P></BODY></HTML> Thu, 20 Jun 2013 11:05:06 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27058#M19768 KiCheon.Lee 2013-06-20T11:05:06Z https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27059#M19769 <HTML><HEAD></HEAD><BODY><P>I think you have to chain the certificat on the paloalto</P><P></P><P>see <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1937">https://live.paloaltonetworks.com/docs/DOC-1937</A></P><P></P><P>page 32 you could find an example to chain the certificat</P><P></P><P>and on your device you need to install the trust root CA and the intermediate</P><P>you could obtain more information about your issue if you activate the troubleshooting on the global protect agent on your user device.</P></BODY></HTML> Thu, 20 Jun 2013 11:47:52 GMT https://live.paloaltonetworks.com/t5/general-topics/client-cert-invalid-message-when-connecting-global-protect-with/m-p/27059#M19769 Gregoux 2013-06-20T11:47:52Z