topic Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca in General Topics

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

junior_r — Tue, 05 Dec 2017 22:04:31 GMT

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Machine Store? I tired giving the user perm but this didnt fix it. Only way to resolve it is to move the cert to the user store, which I dont want to do.

Thaks

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

rmfalconer — Tue, 05 Dec 2017 22:37:39 GMT

Users with standard permissions don't have access to the machine store. It's not a condition specific to GP.

When you gave permission to the user for the machine cert, how did you do it?

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

junior_r — Wed, 06 Dec 2017 01:08:26 GMT

@rmfalconer wrote:
Users with standard permissions don't have access to the machine store. It's not a condition specific to GP.
When you gave permission to the user for the machine cert, how did you do it?

Right click on the machine cert, Manage private keys and add user to read

Thanks

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Mick_Ball — Wed, 06 Dec 2017 07:20:38 GMT

Going back to basics,,,, have you checked your setting in the portal app...

Client Certificate Store Lookup.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

psouthwick — Mon, 11 Feb 2019 21:51:24 GMT

Hate to res an old topic, but I am having this very issue as well. Running 4.1.8 GP, have AD auto-enrolling workstations for certificates which only places the certificate in the machine store. The GP Client is setup to look for certificates in the machine store (not both) and I am still getting errors connecting with an error stating 'required client cert not found'.

Any thoughts?

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Mick_Ball — Tue, 12 Feb 2019 06:29:23 GMT

Can we assume you can see the cert in the machines personal store when using the mmc.

have you tried this firstly with a self signed cert, generate a user cert and manually import into comp store.

pretty basic stuff but may be worth going back a few steps to see if its a cert read error or pki issue.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

psouthwick — Tue, 12 Feb 2019 17:04:29 GMT

Thanks for the reply, and good call. I re-imported the self-signed cert (generated by the firewall) I used as a PoC for pre-logon only in the machine store and was able to connect.... Though this leaves me scratching my head the certs permissions are identical, both have the private keys, share the same signature algorithms etc.

The only differences I see are the self-signed cert has an additional 'Intended Purpose' of IP Security end system, and the cert CN. The self-signed is just some bogus name I made for testing purposes, and the PKI issued one is my machines FQDN.

The certificate profiles in use for the PKI has our Root and intermediate CAs defined with the rest as defaults, and the self-signed certificate profile has the firewalls CA defined with the rest of the options as default.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Mick_Ball — Tue, 12 Feb 2019 17:13:35 GMT

OK so does the PKI cert on the Palo have "Trusted Root CA" ticked....

kinda clutching at straws as you seem to have all you need.

I doubt if it's anything to do with the username field in the cert profile as that will cause a different error. "certificate invalid".

do you get the same error when you browse to https:\\your-portaldotsumfink

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Mick_Ball — Tue, 12 Feb 2019 17:22:38 GMT

cancel my previous re trusted root ca. mines not even ticked and works OK, not sure why i said that... hey ho....

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Mick_Ball — Tue, 12 Feb 2019 17:32:17 GMT

the PKI certificate with your device name, under the details tab, does it have "Client Authentication" in the enhanced key useage.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

psouthwick — Tue, 12 Feb 2019 18:44:21 GMT

It does, I've attached a screen shot of my config. The green is the self-signed, the blue is our root ca, and red is an intermediate that signed the cert that was deployed to the workstation.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

rmfalconer — Tue, 12 Feb 2019 19:21:24 GMT

In your GP portal configuration, do you have a certificate profile applied?

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

psouthwick — Tue, 12 Feb 2019 19:48:20 GMT

In the portal config I do not, but in the gateway I do. It is when I switch it from the prelogon-cert profile to the internal-PKI profile that I encounter the 'required client cert not found' error.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

rmfalconer — Wed, 13 Feb 2019 19:44:20 GMT

Do you have a way to distribute a cert to the user store? There could be a permission issue with accessing the computer cert store to verify the correct certificate.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

psouthwick — Wed, 13 Feb 2019 20:52:45 GMT

I do not and would actually like to avoid that as I would prefer the machine certificate not follow the user, wherever they login.

Out of curiosity do you, or @Mick_Ball, have pre-logon setup using certs auto-enrolled from AD; or are you using the SCEP functionality, or manually generating and importing certs?

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

rmfalconer — Thu, 14 Feb 2019 00:09:37 GMT

We generate machine certs and user certs, both scoped to specific AD groups. We use certs for more than just VPN so we have a need to deploy both.

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Mick_Ball — Thu, 14 Feb 2019 06:24:48 GMT

I do not use pre logon, it doesn’t really suit our requitements.

I use both pki and self signed.

pki user certs go into user store for globalprotect.

pki machine certs go into machine store for network access control.

self signed certs are distributed to 3rd party support and non domain maccy stuff.....

one thing i have noticed is that our machine certs cannot be used for gp as the cert profile is looking for subject field and the machine certs do not contain this information. Perhaps thats your issue...

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

psouthwick — Thu, 21 Feb 2019 17:58:35 GMT

@Mick_Ball @rmfalconer

Just a follow up as I opened up a TAC case for this issue. It turns out that the version of PanOS we are on 8.0.13 does not support SHA512, which is what our internal PKI CAs are hashed with.

Re: Anyone run into a issue where Client Certificate does not get presented

fatboy1607 — Wed, 19 Aug 2020 12:33:29 GMT

Did you upgrade OS , just to know if that fixed your issue ?