Any idea about 3rd party verisign certificate with GlobalProtect ?

Reply
L6 Presenter

Any idea about 3rd party verisign certificate with GlobalProtect ?

We were using sslvpn with PA 's certificate.Now we bought 3rd party cert. from Verisign and imported it as using server certificate

But Global Protect gives an error as "Protocol Error: Check server sertificate"

I have searched KnowledgePoint but could not find anything for this error.

Any idea ?

L3 Networker

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

I think I've had the same problem.  PAN's documentation, and what others tell you to do is inaccurate. I happened to stumble on this forum thread, https://live.paloaltonetworks.com/thread/4054 and found this answer to be very helpful instead of generating a plain cert on the PA-FW, use your purchased cert instead:

1) Generate a plain Cert in Palo Alto(Not signed and not a Certificate Authority)

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert you made in step 1.

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you created in step 1.  Set "Client Certificate Profile to "None".

I was getting a very similar error doing it any other way, but this seemed to fix the problem.

L6 Presenter

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Thanks for help but where is the cert that I have bought ? I could not find it at your answer.

L3 Networker

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

This is typically provided to you either by an email or at time of purchase through the web browser.  You would save it to notepad and save it to a .crt file.  Then you upload the cert to Device->Certificates

L6 Presenter

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

I know that.I have the file already.You mean the solution is like this :

1) Upload cert. you bought

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert  you uploaded

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".

is this the solution ? Because I will try it tomorrow

Highlighted
L3 Networker

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Correct.  Assuming that is what you are trying to accomplish.  Presenting the VPN portal in a way that does not give a certificate warning.

L6 Presenter

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

Thanks.I will try and write back.Thank you.

L6 Presenter

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

I tried that.Not selecting any client certificate fixed the problem.Thank you very much.

I wonder if we want to use client certificate also, what steps will we do.

Thank you for help

L3 Networker

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

The Client cert depends on how you want to setup that. We use AD in our environment, so we generate user certificates from our AD CA.  You can generate a signed cert within the PA too and use that.

L6 Presenter

Re: Any idea about 3rd party verisign certificate with GlobalProtect ?

ok.I understand AD.

can we use the certificate that we bought for clients also ?(it is wildcard cert)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!