Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

Reply
L1 Bithead

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

prelogon-cert.jpg

 

It does, I've attached a screen shot of my config.  The green is the self-signed, the blue is our root ca, and red is an intermediate that signed the cert that was deployed to the workstation.

L4 Transporter

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

In your GP portal configuration, do you have a certificate profile applied?

L1 Bithead

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

In the portal config I do not, but in the gateway I do.  It is when I switch it from the prelogon-cert profile to the internal-PKI profile that I encounter the 'required client cert not found' error.

L4 Transporter

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Do you have a way to distribute a cert to the user store? There could be a permission issue with accessing the computer cert store to verify the correct certificate.

L1 Bithead

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

I do not and would actually like to avoid that as I would prefer the machine certificate not follow the user, wherever they login.

 

Out of curiosity do you, or @MickBall, have pre-logon setup using certs auto-enrolled from AD; or are you using the SCEP functionality, or manually generating and importing certs?

L4 Transporter

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

We generate machine certs and user certs, both scoped to specific AD groups. We use certs for more than just VPN so we have a need to deploy both.

L6 Presenter

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

I do not use pre logon, it doesn’t really suit our requitements. 

I use both pki and self signed.

 

pki user certs go into user store for globalprotect.

pki machine certs go into machine store for network access control.

 

self signed certs are distributed to 3rd party support and non domain maccy stuff.....

 

one thing i have noticed is that our machine certs cannot be used for gp as the cert profile is looking for subject field and the machine certs do not contain this information. Perhaps thats your issue...

 

Highlighted
L1 Bithead

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

@MickBall @rmfalconer 

 

Just a follow up as I opened up a TAC case for this issue.  It turns out that the version of PanOS we are on 8.0.13 does not support SHA512, which is what our internal PKI CAs are hashed with.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!