https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177639#M55382 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;is correct. If you are using a self-signed cert or a cert signed by an internal CA the device needs to trust this cert.&nbsp;</P><P>&nbsp;</P><P>Alternatively you could modify the Agent configuration within the App tab to set "Allow User to Continue with Invalid Portal Server Certificate" to yes instead of the default No. This will trigger an alert but still allow the user to connect.&nbsp;</P> Tue, 19 Sep 2017 16:27:24 GMT BPry 2017-09-19T16:27:24Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177526#M55352 <P>Hi</P><P>&nbsp;</P><P>I configured global protect, but when clients try to connect through the agent, they got "Gateway "name":The server certificate is invalid, please contact your IT administrator".</P><P>&nbsp;</P><P>For the configured certificates, I configured self-signed certificate as a certificate authority, and then configured Global-protect certificate signed by the created self-signed certificate, but the common name for the self-signed cert was the firewall private IP and the common name for the global-protect certicate was the firewall public IP</P><P>&nbsp;</P><P>Is there any wrong certificate settings?</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Tue, 19 Sep 2017 09:14:34 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177526#M55352 myasin 2017-09-19T09:14:34Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177555#M55361 <P>i have never used self signed for portal address but i'm sure you need to copy the self signed root cert to the devices, it will be placed with all your other trusted cert authorities.</P><P>&nbsp;</P><P>from PA</P><P>&nbsp;</P><P>Self-Signed Certificates —You can generate a self-signed CA certificate on the portal and use it to issue certificates for all of the GlobalProtect components. However, this solution is less secure than the other options and is therefore not recommended. If you do choose this option, end users will see a certificate error the first time they connect to the portal. To prevent this, you can deploy the self-signed root CA certificate to all end user systems manually or using some sort of centralized deployment, such as an Active Directory Group Policy Object (GPO).</P> Tue, 19 Sep 2017 10:32:30 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177555#M55361 Mick_Ball 2017-09-19T10:32:30Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177639#M55382 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;is correct. If you are using a self-signed cert or a cert signed by an internal CA the device needs to trust this cert.&nbsp;</P><P>&nbsp;</P><P>Alternatively you could modify the Agent configuration within the App tab to set "Allow User to Continue with Invalid Portal Server Certificate" to yes instead of the default No. This will trigger an alert but still allow the user to connect.&nbsp;</P> Tue, 19 Sep 2017 16:27:24 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/177639#M55382 BPry 2017-09-19T16:27:24Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/238014#M68196 <P>Hi There,</P><P>I'm having the same issue but not on self signed certificate and on linux ( Fedora 29)&nbsp;</P><P>Global Protect is configured with the certificate signed by the Authorized CA.</P><P>The Chain is:</P><P><SPAN>DigiCert Global Root CA</SPAN><BR /><SPAN>DigiCert SHA2 Secure Server CA</SPAN></P><P><SPAN>Server certificate.</SPAN></P><P>&nbsp;</P><P><SPAN>It works perfect on Windows.</SPAN></P><P>&nbsp;</P><P><SPAN>On Linux, Fedora.</SPAN></P><P><SPAN>I get the error&nbsp;</SPAN></P><P>Error: Gateway exgw: The server certificate is invalid. Please contact your IT administrator.</P><P>&nbsp;</P><P>I checked if certificate is trusted&nbsp;</P><P>&nbsp;</P><P>xxx\Downloads]$ trust list | grep Digi<BR />l<STRONG>abel: DigiCert Global Root CA</STRONG><BR /><STRONG>label: DigiCert SHA2 Secure Server CA</STRONG><BR /><BR /></P><P>The first two are the exactly the ones that are trusted.</P><P><BR />I am puzzled. Did anybody have issues with Global Protect on linux ?&nbsp;</P> Wed, 31 Oct 2018 18:06:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-certificate/m-p/238014#M68196 PiankaMariusz 2018-10-31T18:06:11Z