https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/71586#M40841 <P>Sorry for the delay.</P> <P>&nbsp;</P> <P>So the choices become:</P> <P>1. Manually chained.&nbsp; Then the Mac's keychain will show the certificate as complete.</P> <P>2.&nbsp; Leave as is.&nbsp; The client gets no error during GP login but the keychain on the machine just shows the cert signed by an unknown CA.&nbsp;</P> <P>&nbsp;</P> <P>User's don't actually go there to check anyway.&nbsp; They just don't want to see those pesky pop-ups about untrusted cert.&nbsp; So, I'm going to leave it as is.</P> <P>&nbsp;</P> <P>Thank you for the response.</P> Tue, 26 Jan 2016 00:57:25 GMT CafNetMatt 2016-01-26T00:57:25Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70944#M40626 <P>This is on a PA-3020 running PAN-OS 7.0.4.</P> <P>&nbsp;</P> <P>I've always manually chained certificates when installed an SSL certificate for Global Protect. &nbsp;I decided to see if I could install the SSL certificate and the Intermediate certificates separately and see if it would work. &nbsp;I configured Global Protect Portal &gt; Agent Configuration &gt; Trusted Root CA with the GoDaddy G2_G1 certificate provided by GoDaddy.</P> <P>&nbsp;</P> <P>When I log into Global Protect, I do not get the 'untrusted certificate' error. &nbsp;However, when I check Keychain on my Mac, it only shows the client certificate installed, not the GoDaddy intermediate, and the certificate is labeled as 'signed by unknow authority'.</P> <P>&nbsp;</P> <P>My questions:</P> <P>&nbsp;</P> <P>1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?</P> <P>2. Is it still recommended to manually create the certificate chain or use this method? &nbsp;</P> <P>&nbsp;</P> <P>The reason I'm trying not to chain them is because the client wants his SSL certificate to update via OCSP and it just doesn't do that if it's manually chained.</P> <P>&nbsp;</P> <P>Thanks.</P> Fri, 15 Jan 2016 01:45:12 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70944#M40626 CafNetMatt 2016-01-15T01:45:12Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70956#M40629 <P>1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?</P> <P>&nbsp;</P> <P>It pushes the root ca to client. Client performs certificate checks when user connect to the GlobalProtect gateway.</P> <P>&nbsp;</P> <P>2. Is it still recommended to manually create the certificate chain or use this method? &nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523</A></P> <P>&nbsp;</P> <P>Hope this helps!</P> Fri, 15 Jan 2016 06:19:56 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70956#M40629 pankaku 2016-01-15T06:19:56Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70961#M40632 <P>That's what's weird.&nbsp; I thought it pushed the Root CA to the client.</P> <P>&nbsp;</P> <P>When I check Keychain on my Mac, the client's certificate is there but the CA Root is not.&nbsp; The client certificate just shows that's it's signed by an unknown signer.</P> <P>&nbsp;</P> <P>I searched the keychain and could not find the Root CAs that should be being pushed down.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> <P>Matt</P> Fri, 15 Jan 2016 05:54:29 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70961#M40632 CafNetMatt 2016-01-15T05:54:29Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70964#M40633 <P>It pushes the root ca to client. Client performs certificate checks when user connect to the GlobalProtect gateway.</P> Fri, 15 Jan 2016 06:06:30 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70964#M40633 pankaku 2016-01-15T06:06:30Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70965#M40634 <P>But I'm seeing it doesn't add it to the local keychain on the PC.&nbsp; Only the client certificate is being added.&nbsp;</P> <P>&nbsp;</P> <P>Shouldn't the Root CA be added to the keychain?</P> <P>&nbsp;</P> <P>Regards,</P> <P>Matt</P> Fri, 15 Jan 2016 06:11:19 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70965#M40634 CafNetMatt 2016-01-15T06:11:19Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70966#M40635 <P>It will not be added.</P> <P>&nbsp;</P> <P>From the admin guide:</P> <P>&nbsp;</P> <P>"As a best practice, always deploy the trusted root CA certificates in the client configuration to ensure that the agents/apps perform the certificate checks to validate the identity of the gateway before establishing a connection. This prevents the agents/apps from falling prey to man-in-the-middle attacks"</P> <P>&nbsp;</P> <P>Have you tried in windows system? May be godaddy intermediate root ca is not present on the local machine that's why it is showing was unknow signing authority.</P> Fri, 15 Jan 2016 06:15:38 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70966#M40635 pankaku 2016-01-15T06:15:38Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70967#M40636 <P>Check this doc:</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed-by-a-Public-CA/ta-p/55523</A></P> Fri, 15 Jan 2016 06:19:14 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70967#M40636 pankaku 2016-01-15T06:19:14Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70968#M40637 <P>I guess certificate chain will help here.</P> Fri, 15 Jan 2016 07:15:39 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/70968#M40637 pankaku 2016-01-15T07:15:39Z https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/71586#M40841 <P>Sorry for the delay.</P> <P>&nbsp;</P> <P>So the choices become:</P> <P>1. Manually chained.&nbsp; Then the Mac's keychain will show the certificate as complete.</P> <P>2.&nbsp; Leave as is.&nbsp; The client gets no error during GP login but the keychain on the machine just shows the cert signed by an unknown CA.&nbsp;</P> <P>&nbsp;</P> <P>User's don't actually go there to check anyway.&nbsp; They just don't want to see those pesky pop-ups about untrusted cert.&nbsp; So, I'm going to leave it as is.</P> <P>&nbsp;</P> <P>Thank you for the response.</P> Tue, 26 Jan 2016 00:57:25 GMT https://live.paloaltonetworks.com/t5/general-topics/trusted-root-ca-not-installed-on-client/m-p/71586#M40841 CafNetMatt 2016-01-26T00:57:25Z