https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367115#M88795 <P>Dears,</P><P>&nbsp;</P><P>i am using a wild card certificate for global protect. when i tried to connect global protect agent. i am facing the below issue:-</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1607017194770.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28949iF8C1EBDF10387984/image-size/medium?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1607017194770.png" alt="Jafar_Hussain_0-1607017194770.png" /></span></P><P>Certificate description:-</P><P>I have imported the wild card certificate that is sign by digicert.</P><P>firstly i have imported trusted root CA.</P><P>Then intermediate CA.</P><P>After that the server chain certificate.</P><P>&nbsp;</P><P>Configuration description:-</P><P>I have used root CA and intermediate CA in a local trusted root certificate store.</P><P>And the server certificate we are using in SSL/TLS profile.</P><P>PAN-OS version - 8.1.11</P><P>GP version - 5.1.0</P><P>&nbsp;</P><P>I have just a question:-</P><P>is there any limitation for a subdomain in the wild card certificate?</P><P>example:- i am using the domain "abc.vpn.contoso.com.uk"</P><P>&nbsp;</P><P>Appreciate your response.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Dec 2020 17:46:33 GMT Jafar_Hussain 2020-12-03T17:46:33Z https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367115#M88795 <P>Dears,</P><P>&nbsp;</P><P>i am using a wild card certificate for global protect. when i tried to connect global protect agent. i am facing the below issue:-</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jafar_Hussain_0-1607017194770.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28949iF8C1EBDF10387984/image-size/medium?v=v2&amp;px=400" role="button" title="Jafar_Hussain_0-1607017194770.png" alt="Jafar_Hussain_0-1607017194770.png" /></span></P><P>Certificate description:-</P><P>I have imported the wild card certificate that is sign by digicert.</P><P>firstly i have imported trusted root CA.</P><P>Then intermediate CA.</P><P>After that the server chain certificate.</P><P>&nbsp;</P><P>Configuration description:-</P><P>I have used root CA and intermediate CA in a local trusted root certificate store.</P><P>And the server certificate we are using in SSL/TLS profile.</P><P>PAN-OS version - 8.1.11</P><P>GP version - 5.1.0</P><P>&nbsp;</P><P>I have just a question:-</P><P>is there any limitation for a subdomain in the wild card certificate?</P><P>example:- i am using the domain "abc.vpn.contoso.com.uk"</P><P>&nbsp;</P><P>Appreciate your response.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 03 Dec 2020 17:46:33 GMT https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367115#M88795 Jafar_Hussain 2020-12-03T17:46:33Z https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367198#M88803 <P>What's the CN on the cert? If it's *.contoso.co.uk, it won't work. You would need *.vpn.contoso.co.uk.</P><P>This isn't a limitation of GP, it's the behavior with any certificate.&nbsp;</P> Thu, 03 Dec 2020 23:48:00 GMT https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367198#M88803 rmfalconer 2020-12-03T23:48:00Z https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367201#M88804 <P>Hmmmm... &nbsp; seems a bit odd that you are offered a gateway in the first place. I assume you had no certificate error for the portal... &nbsp; do you get an error if &nbsp;you browse https to your portal?</P> Fri, 04 Dec 2020 02:54:42 GMT https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367201#M88804 Mick_Ball 2020-12-04T02:54:42Z https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367374#M88830 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55733">@rmfalconer</a>&nbsp;</P><P>The CN on the cert is *.contoso.com.uk. and the gateway URL is *.abc.vpn.contoso.com.uk.&nbsp; as per your suggestion would i need to change the common of the certificate like *.vpn.contoso.co.uk?</P> Fri, 04 Dec 2020 20:00:55 GMT https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367374#M88830 Jafar_Hussain 2020-12-04T20:00:55Z https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367391#M88832 <P>Let's say the url is 1.abc.vpn.contoso.co.uk, then you would need a wildcard for *.abc.vpn.contoso.co.uk.</P><P>*.vpn.contoso.co.uk would not work for 1.abc.vpn.contoso.co.uk</P><P>The * only functions at one level.</P><P>&nbsp;</P> Fri, 04 Dec 2020 21:15:45 GMT https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367391#M88832 rmfalconer 2020-12-04T21:15:45Z https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367454#M88836 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/55733">@rmfalconer</a>&nbsp;</P><P>Thanks for the detail. i will change the CN name.</P><P>Then i will try.</P> Sat, 05 Dec 2020 17:31:36 GMT https://live.paloaltonetworks.com/t5/general-topics/wild-card-certificate/m-p/367454#M88836 Jafar_Hussain 2020-12-05T17:31:36Z