topic Re: Sectigo wildcard certificate problem for Globalprotect in General Topics

Sectigo wildcard certificate problem for Globalprotect

KovBal — Sat, 21 Mar 2020 20:53:57 GMT

Dear Community,

I've recently purchased a wildcard certificate, that I intend to use it on our firewall for globalprotect. It is a single device, and gateway is configured as external gateway (it provides only vpn access from the external world). I've installed the certificate, without any issue, but CA is not ticked on that. Therefore I cannot select this certificate at Portal/Agent/Trusted root ca, and I get error on the client side, with certificate error.

If I create a self signed certificate to use it for the Gateway, and I use the wildcard for the Portal, client can connect, but then the browser is arguing about bad certificate.

I read something about Sectigo not listed in the default trusted certificate authorities, can that cause the problem? How can I resolve this issue, to keep the official certificate for the whole chain?

I'm using Pan OS 9.1

Re: Sectigo wildcard certificate problem for Globalprotect

JoergSchuetter — Sat, 21 Mar 2020 21:34:59 GMT

You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.

If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).

Re: Sectigo wildcard certificate problem for Globalprotect

KovBal — Sat, 21 Mar 2020 22:04:03 GMT

Thanks, I've managed to puzzle it together. The final revelation was to use the fqdn name as the external gateway, not the ip.

Case can be closed as resolved 🙂

Re: Sectigo wildcard certificate problem for Globalprotect

Deepak_K — Mon, 01 Jun 2020 07:51:21 GMT

did you face any issue for global protect on 30 May 2020 due to sectigo cert ?

Re: Sectigo wildcard certificate problem for Globalprotect

RobinClayton — Mon, 01 Jun 2020 09:43:05 GMT

I have an issue with a sectigo secured site today that I would use relativly often without issue. PA says expired certificate.

Re: Sectigo wildcard certificate problem for Globalprotect

RyanHenckel — Mon, 01 Jun 2020 16:51:40 GMT

We're seeing the same on our end. Adding the root CA to device certs (with Trusted Root CA checked) hasn't resolved either.

Re: Sectigo wildcard certificate problem for Globalprotect

Deepak_K — Tue, 02 Jun 2020 09:45:16 GMT

@RyanHenckel @RobinClayton

please update if you got any solution. Currently for workaround we are using self-signed cert.