Any idea about 3rd party verisign certificate with GlobalProtect ?

Reply
Highlighted
L6 Presenter

Any idea about 3rd party verisign certificate with GlobalProtect ?

We were using sslvpn with PA 's certificate.Now we bought 3rd party cert. from Verisign and imported it as using server certificate

But Global Protect gives an error as "Protocol Error: Check server sertificate"

I have searched KnowledgePoint but could not find anything for this error.

Any idea ?


Accepted Solutions
Highlighted
L6 Presenter

I know that.I have the file already.You mean the solution is like this :

1) Upload cert. you bought

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert  you uploaded

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".

is this the solution ? Because I will try it tomorrow

View solution in original post


All Replies
Highlighted
L3 Networker

I think I've had the same problem.  PAN's documentation, and what others tell you to do is inaccurate. I happened to stumble on this forum thread, https://live.paloaltonetworks.com/thread/4054 and found this answer to be very helpful instead of generating a plain cert on the PA-FW, use your purchased cert instead:

1) Generate a plain Cert in Palo Alto(Not signed and not a Certificate Authority)

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert you made in step 1.

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you created in step 1.  Set "Client Certificate Profile to "None".

I was getting a very similar error doing it any other way, but this seemed to fix the problem.

Highlighted
L6 Presenter

Thanks for help but where is the cert that I have bought ? I could not find it at your answer.

L3 Networker

This is typically provided to you either by an email or at time of purchase through the web browser.  You would save it to notepad and save it to a .crt file.  Then you upload the cert to Device->Certificates

Highlighted
L6 Presenter

I know that.I have the file already.You mean the solution is like this :

1) Upload cert. you bought

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert  you uploaded

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".

is this the solution ? Because I will try it tomorrow

View solution in original post

Highlighted
L3 Networker

Correct.  Assuming that is what you are trying to accomplish.  Presenting the VPN portal in a way that does not give a certificate warning.

Highlighted
L6 Presenter

Thanks.I will try and write back.Thank you.

Highlighted
L6 Presenter

I tried that.Not selecting any client certificate fixed the problem.Thank you very much.

I wonder if we want to use client certificate also, what steps will we do.

Thank you for help

Highlighted
L3 Networker

The Client cert depends on how you want to setup that. We use AD in our environment, so we generate user certificates from our AD CA.  You can generate a signed cert within the PA too and use that.

Highlighted
L6 Presenter

ok.I understand AD.

can we use the certificate that we bought for clients also ?(it is wildcard cert)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!