https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/336624#M84812 <P>Reading over this post, good stuff. Should the Certificate for decrypting and encrypting cookies be something other than the Sever Cert used to for the portal/gateway?&nbsp; Is there any security benefit to using a cert from our Private PKI infrastructure similar to the Machine Cert for pre-logon?</P><P>&nbsp;</P><P>&nbsp; &nbsp;</P> Sun, 05 Jul 2020 15:38:38 GMT Gregory_Korten 2020-07-05T15:38:38Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/158112#M51773 <P>Hi All,</P><P>I'd like to find out what type of certificate you need if you are configuring Authentication Override for GlobalProtect Portal and Gateway. That is, for the option to specify a certificate to Encrypt/Decrypt Cookie (screenshot below), does this need a Machine Certificate, Web certificate???</P><P>&nbsp;</P><P>Secondly, what is the behaviour if you don't specify a certificate? Will Authentication Override still work albeit without encrypting/decrypting?</P><P>&nbsp;</P><P>Your feedback is appreciated.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="override.PNG" style="width: 773px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/9401i966113A4AD4FC150/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="override.PNG" alt="override.PNG" /></span></P><P>&nbsp;</P> Wed, 24 May 2017 17:07:25 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/158112#M51773 Bocsa 2017-05-24T17:07:25Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/158120#M51774 <P>Any certificate is fine, as long as you have the private key for it. It doesn't matter if it's a CA, end-entity, key signing, etc. It doesn't have to be trusted or installed on the client either. It's just so the&nbsp;portal can encrypt the cookie, and then the gateway can decrypt it. The only real requirement here is that you have to use the same cert on both portal and gateway for cookie encrypt/decrypt, otherwise it won't work.</P><P>&nbsp;</P><P>If you don't encrypt it, that's fine. If you don't specify one, it's just not an encrypted cookie. It'll still work just fine, but without the extra security of encryption for the auth cookie.</P> Wed, 24 May 2017 17:27:50 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/158120#M51774 gwesson 2017-05-24T17:27:50Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/336624#M84812 <P>Reading over this post, good stuff. Should the Certificate for decrypting and encrypting cookies be something other than the Sever Cert used to for the portal/gateway?&nbsp; Is there any security benefit to using a cert from our Private PKI infrastructure similar to the Machine Cert for pre-logon?</P><P>&nbsp;</P><P>&nbsp; &nbsp;</P> Sun, 05 Jul 2020 15:38:38 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/336624#M84812 Gregory_Korten 2020-07-05T15:38:38Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/336629#M84815 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42546">@Gregory_Korten</a>&nbsp;</P> <P>&nbsp;</P> <P>As mentioned by earlier post this cert can be any certificate.</P> <P>As per my knowledge there is no security benefit using the cert from PKI.</P> Sun, 05 Jul 2020 21:44:33 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/336629#M84815 MP18 2020-07-05T21:44:33Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/461530#M102178 <P>Do things break when the certificate expires or will it continue to encrypt/decrypt just fine?</P> Thu, 27 Jan 2022 18:27:58 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/461530#M102178 MarkSanchezSSnC 2022-01-27T18:27:58Z https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/462941#M102312 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/157712">@MarkSanchezSSnC</a>&nbsp;</P> <P>As per my understanding if certs are expired then it will cause the issue.</P> <P>Lets see if someone else has more info on this.</P> <P>&nbsp;</P> <P>Regards</P> Thu, 03 Feb 2022 02:10:22 GMT https://live.paloaltonetworks.com/t5/general-topics/globalprotect-certificate-to-encrypt-and-decrypt-cookies/m-p/462941#M102312 MP18 2022-02-03T02:10:22Z