Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

Reply
L3 Networker

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

Hi

 

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Machine Store? I tired giving the user perm but this didnt fix it. Only way to resolve it is to move the cert to the user store, which I dont want to do.


Thaks

L4 Transporter

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Users with standard permissions don't have access to the machine store. It's not a condition specific to GP.

When you gave permission to the user for the machine cert, how did you do it?

L3 Networker

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca


@rmfalconer wrote:

Users with standard permissions don't have access to the machine store. It's not a condition specific to GP.

When you gave permission to the user for the machine cert, how did you do it?


Right click on the machine cert, Manage private keys and add user to read

 

Thanks

L7 Applicator

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Going back to basics,,,, have you checked your setting in the portal app...

 

Client Certificate Store Lookup. 

L1 Bithead

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Hate to res an old topic, but I am having this very issue as well.  Running 4.1.8 GP, have AD auto-enrolling workstations for certificates which only places the certificate in the machine store.  The GP Client is setup to look for certificates in the machine store (not both) and I am still getting errors connecting with an error stating 'required client cert not found'.

 

Any thoughts?

L7 Applicator

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Can we assume you can see the cert in the machines personal store when using the mmc.

 

have you tried this firstly with a self signed cert, generate a user cert and manually import into comp store.

 

pretty basic stuff but may be worth going back a few steps to see if its a cert read error or pki issue.

L1 Bithead

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

Thanks for the reply, and good call.  I re-imported the self-signed cert (generated by the firewall) I used as a PoC for pre-logon only in the machine store and was able to connect....  Though this leaves me scratching my head the certs permissions are identical, both have the private keys, share the same signature algorithms etc. 

 

The only differences I see are the self-signed cert has an additional 'Intended Purpose' of IP Security end system, and the cert CN.  The self-signed is just some bogus name I made for testing purposes, and the PKI issued one is my machines FQDN. 

 

The certificate profiles in use for the PKI has our Root and intermediate CAs defined with the rest as defaults, and the self-signed certificate profile has the firewalls CA defined with the rest of the options as default.

 

L7 Applicator

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

OK so does the PKI cert on the Palo have "Trusted Root CA" ticked....

 

kinda clutching at straws as you seem to have all you need.

 

I doubt if it's anything to do with the username field in the cert profile as that will cause a different error. "certificate invalid".

 

do you get the same error when you browse to https:\\your-portaldotsumfink

 

L7 Applicator

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

cancel my previous re trusted root ca. mines not even ticked and works OK, not sure why i said that... hey ho.... 

L7 Applicator

Re: Anyone run into a issue where Client Certificate does not get presented to GP if its in the Loca

the PKI certificate with your device name, under the details tab, does it have "Client Authentication" in the enhanced key useage. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!