07-30-2012 06:20 AM
We were using sslvpn with PA 's certificate.Now we bought 3rd party cert. from Verisign and imported it as using server certificate
But Global Protect gives an error as "Protocol Error: Check server sertificate"
I have searched KnowledgePoint but could not find anything for this error.
Any idea ?
07-31-2012 08:58 AM
I know that.I have the file already.You mean the solution is like this :
1) Upload cert. you bought
2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None". Set "Server Certificate" to the Cert you uploaded
3) Move to Client Configuration tab > Delete any Root CA's that are set.
4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".
is this the solution ? Because I will try it tomorrow
07-30-2012 10:39 AM
I think I've had the same problem. PAN's documentation, and what others tell you to do is inaccurate. I happened to stumble on this forum thread, https://live.paloaltonetworks.com/thread/4054 and found this answer to be very helpful instead of generating a plain cert on the PA-FW, use your purchased cert instead:
1) Generate a plain Cert in Palo Alto(Not signed and not a Certificate Authority)
2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None". Set "Server Certificate" to the Cert you made in step 1.
3) Move to Client Configuration tab > Delete any Root CA's that are set.
4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you created in step 1. Set "Client Certificate Profile to "None".
I was getting a very similar error doing it any other way, but this seemed to fix the problem.
07-30-2012 05:59 PM
Thanks for help but where is the cert that I have bought ? I could not find it at your answer.
07-31-2012 08:36 AM
This is typically provided to you either by an email or at time of purchase through the web browser. You would save it to notepad and save it to a .crt file. Then you upload the cert to Device->Certificates
07-31-2012 08:58 AM
I know that.I have the file already.You mean the solution is like this :
1) Upload cert. you bought
2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None". Set "Server Certificate" to the Cert you uploaded
3) Move to Client Configuration tab > Delete any Root CA's that are set.
4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".
is this the solution ? Because I will try it tomorrow
07-31-2012 09:03 AM
Correct. Assuming that is what you are trying to accomplish. Presenting the VPN portal in a way that does not give a certificate warning.
07-31-2012 09:06 AM
Thanks.I will try and write back.Thank you.
08-02-2012 06:43 AM
I tried that.Not selecting any client certificate fixed the problem.Thank you very much.
I wonder if we want to use client certificate also, what steps will we do.
Thank you for help
08-02-2012 09:24 AM
The Client cert depends on how you want to setup that. We use AD in our environment, so we generate user certificates from our AD CA. You can generate a signed cert within the PA too and use that.
08-02-2012 09:28 AM
ok.I understand AD.
can we use the certificate that we bought for clients also ?(it is wildcard cert)
08-14-2012 09:59 PM
You may be able to, but I don't know how to configure that. We used AD CA certs, it was easier. To sign individual certs with the purchased one, I don't think you can do that.
02-15-2013 04:50 PM
Hello
How did you generate user certificates from AD?
Which template did you use?
Did you generate a Gateway Certificate too?
Thanks
02-20-2013 08:03 AM
User certificates were created from Window's Server Cert Authority - we obtain user certs this way https://domaincontroller/certsrv since that is where our certificate authority is as the moment. If you are logged in with the user then they just simply walk through the process and it add's it to their machine.
I'm not sure I understand the Gateway cert question, we generated a third party cert and specified both in the portal / gateway this cert for our server cert. I also had to use our internal root cert to handle the user cert authentication.
02-22-2013 01:02 AM
Hello
My question is about the type of certificate you have to issue as there are several templates on the Windows CA
02-23-2013 06:13 AM
I believe all you need is a user certificate. When going to the certsrv in a web browser, logging in with the user name/password - for us just generates a user certificate.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
