https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48056#M35339 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>you can generate client cert with the ca cert created on the palo.</P><P>but you can't published directly the client cert</P><P>you need to export it and install on the client device.</P><P>otherwise you could you use your microsoft active directory to generate the client cert and published it by gpo.</P><P></P><P>regards</P></BODY></HTML> Wed, 26 Jun 2013 10:02:03 GMT Gregoux 2013-06-26T10:02:03Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48055#M35338 <HTML><HEAD></HEAD><BODY><P>I made 5 users into LocalDB, and I configured GlobalProtect Portal &amp; Gateway.</P><P>It works fine so far.</P><P>Now I want to generate 5 client certificates for each user and use Client Cert Profile and Local DB as two factor auth. when I connect to GP.</P><P>My PANOS is 5.0. Is it possible to publish client certs?</P><P></P><P>I could confirm I can configure CA under Device tab &gt; Certificate Management &gt; Certificates.</P><P>But I think I CANNOT generate client certs using this CA.</P><P></P><P>If I'm wrong, please correct me and tell me how to.</P><P></P><P>If I'm correct, I'll prepare Windows 2008 or 2012 server for CA and client certs.</P><P></P><P>Regards,</P><P>Emr</P></BODY></HTML> Wed, 26 Jun 2013 09:40:12 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48055#M35338 emr_1 2013-06-26T09:40:12Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48056#M35339 <HTML><HEAD></HEAD><BODY><P>hi,</P><P>you can generate client cert with the ca cert created on the palo.</P><P>but you can't published directly the client cert</P><P>you need to export it and install on the client device.</P><P>otherwise you could you use your microsoft active directory to generate the client cert and published it by gpo.</P><P></P><P>regards</P></BODY></HTML> Wed, 26 Jun 2013 10:02:03 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48056#M35339 Gregoux 2013-06-26T10:02:03Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48057#M35340 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>Thank you for your reply.</P><P>I could generate client cert and successfully auth'ed by client certificate.</P><P></P><P>I have one more question.</P><P>I generated two certs, and confirmed both certs works fine.</P><P>Afterward, I revoked one cert, though I can still login to GP Portal using user002.</P><P>Doesn't it revoke just after I hit 'revoke' from GUI? (I mean do I need to wait few minutes? hours?)</P><P>Do you have any idea?</P><P></P><P>Regards</P></BODY></HTML> Wed, 26 Jun 2013 14:11:45 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48057#M35340 emr_1 2013-06-26T14:11:45Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48058#M35341 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I dont think Portal authentication will have the second factor check of the 'client certificate'.</P><P></P><P>I think a valid test after revoking the client cert would to try and connect to the gateway and see the results.</P><P></P><P>Regards</P></BODY></HTML> Wed, 26 Jun 2013 19:33:52 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48058#M35341 Chatri 2013-06-26T19:33:52Z https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48059#M35342 <HTML><HEAD></HEAD><BODY><P>HI,</P><P>you can do it.</P><P><A name="1653273">Use the </A><SPAN style="font-weight: bold;">OCSP Responder</SPAN> (Online Certificate Status Protocol Responder) page to define a server that will be used to verify the revocation status of certificates issues by the PAN-OS device. When generating new certificates, you can specify the OCSP Responder that will be used.</P><P>you can do that with CRL too.</P><P><A name="1653487">To enable OCSP, go to </A><SPAN style="font-weight: bold;">Device &gt; Setup &gt; Sessions</SPAN> and under <SPAN style="font-weight: bold;">Sessions Features</SPAN> click <SPAN style="font-weight: bold;">Decryption Certificate Revocation Settings</SPAN>.</P><P>and create a management profile with HTTP OCSP feature enable and bind it to the ingress interface.</P><P></P><P>regards</P></BODY></HTML> Mon, 01 Jul 2013 06:16:11 GMT https://live.paloaltonetworks.com/t5/general-topics/can-pan-device-publish-client-certificates/m-p/48059#M35342 Gregoux 2013-07-01T06:16:11Z