topic Re: Global Protect 3.0.0 Gateway Certificate Error &quot;Server Certificate verification failed&amp;quot in General Topics https://live.paloaltonetworks.com/t5/general-topics/global-protect-3-0-0-gateway-certificate-error-quot-server/m-p/78138#M42843 <P>Thanks for the info Jack. This also applies to internally signed certs managed by an&nbsp;internal certificate authority.&nbsp;</P> Mon, 16 May 2016 15:38:14 GMT DavidNestler 2016-05-16T15:38:14Z Global Protect 3.0.0 Gateway Certificate Error "Server Certificate verification failed" *FIX* https://live.paloaltonetworks.com/t5/general-topics/global-protect-3-0-0-gateway-certificate-error-quot-server/m-p/75641#M42049 <P>Hi All,</P> <P>&nbsp;</P> <P>Recently had a client upgrade their Global Protect Agent to 3.0.0 from 2.2.2.&nbsp;</P> <P><BR />When connecting to the Gateway they would encounter the following message - "Server Certificate verification failed".</P> <P>&nbsp;</P> <P>From 2.1.0 you had to ensure the External Gateway address in the Agent/Client configuration of the Portal is the CN of the Certificate you are using, but this was not the case as he upgraded from 2.2.2 and would have already had this implemented.</P> <P>&nbsp;</P> <P>As he's jumped from 2.2 to 3.0 I thought I would look into the release notes and default behaviour changes to the GP agents and found the following document for 2.3.</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-release-information/changes-to-default-behavior.html" target="_blank">https://www.paloaltonetworks.com/documentation/23/globalprotect-agent-rns/globalprotect-agent-2-3-release-information/changes-to-default-behavior.html</A></P> <P>&nbsp;</P> <P>From 2.3 and onwards, you would need to ensure the self-signed certificate you have generated is marked as a Trusted Root CA in the certificates options and/or add the CA to the Trusted Root CA in Network &gt; Global Protect Portals &gt; Portal you're using &gt; Agent Configuration &gt; Add self-signed certificate to the Trusted Root CA list.</P> <P>&nbsp;</P> <P>This is an easy thing to miss, as when following Palo's document on how to create a self-signed certificate, it doesn't mention having to create this certificate as a Trusted Root CA, as this wasn't the case before 2.3.&nbsp;</P> <P>&nbsp;</P> <P><A href="https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/certificate-management/create-a-self-signed-root-ca-certificate.html" target="_blank">https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/certificate-management/create-a-self-signed-root-ca-certificate.html</A></P> <P>&nbsp;</P> <P>Also ensure the certificate that has been marked as a Trusted Root is pushed out.</P> <P>&nbsp;</P> <P>This resolved the issue and a connection to the gateway is now successful.</P> <P>&nbsp;</P> <P>Kind regards</P> <P>Jack</P> Fri, 01 Apr 2016 15:36:52 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-3-0-0-gateway-certificate-error-quot-server/m-p/75641#M42049 Jack_Howells 2016-04-01T15:36:52Z Re: Global Protect 3.0.0 Gateway Certificate Error "Server Certificate verification failed&quot https://live.paloaltonetworks.com/t5/general-topics/global-protect-3-0-0-gateway-certificate-error-quot-server/m-p/78138#M42843 <P>Thanks for the info Jack. This also applies to internally signed certs managed by an&nbsp;internal certificate authority.&nbsp;</P> Mon, 16 May 2016 15:38:14 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-3-0-0-gateway-certificate-error-quot-server/m-p/78138#M42843 DavidNestler 2016-05-16T15:38:14Z