Any idea about 3rd party verisign certificate with GlobalProtect ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Any idea about 3rd party verisign certificate with GlobalProtect ?

L6 Presenter

We were using sslvpn with PA 's certificate.Now we bought 3rd party cert. from Verisign and imported it as using server certificate

But Global Protect gives an error as "Protocol Error: Check server sertificate"

I have searched KnowledgePoint but could not find anything for this error.

Any idea ?

1 accepted solution

Accepted Solutions

L6 Presenter

I know that.I have the file already.You mean the solution is like this :

1) Upload cert. you bought

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert  you uploaded

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".

is this the solution ? Because I will try it tomorrow

View solution in original post

14 REPLIES 14

L3 Networker

I think I've had the same problem.  PAN's documentation, and what others tell you to do is inaccurate. I happened to stumble on this forum thread, https://live.paloaltonetworks.com/thread/4054 and found this answer to be very helpful instead of generating a plain cert on the PA-FW, use your purchased cert instead:

1) Generate a plain Cert in Palo Alto(Not signed and not a Certificate Authority)

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert you made in step 1.

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you created in step 1.  Set "Client Certificate Profile to "None".

I was getting a very similar error doing it any other way, but this seemed to fix the problem.

Thanks for help but where is the cert that I have bought ? I could not find it at your answer.

This is typically provided to you either by an email or at time of purchase through the web browser.  You would save it to notepad and save it to a .crt file.  Then you upload the cert to Device->Certificates

L6 Presenter

I know that.I have the file already.You mean the solution is like this :

1) Upload cert. you bought

2) Global Protect > Portals > Your Portal > Portal Configuration > Set "Client Certificate" and "Client Certificate Profile" to "None".  Set "Server Certificate" to the Cert  you uploaded

3) Move to Client Configuration tab > Delete any Root CA's that are set.

4) Global Protect > Gateways > Your Gateway > General > Set "Server Certificate" to the Cert you uploaded. Set "Client Certificate Profile to "None".

is this the solution ? Because I will try it tomorrow

Correct.  Assuming that is what you are trying to accomplish.  Presenting the VPN portal in a way that does not give a certificate warning.

L6 Presenter

Thanks.I will try and write back.Thank you.

I tried that.Not selecting any client certificate fixed the problem.Thank you very much.

I wonder if we want to use client certificate also, what steps will we do.

Thank you for help

The Client cert depends on how you want to setup that. We use AD in our environment, so we generate user certificates from our AD CA.  You can generate a signed cert within the PA too and use that.

ok.I understand AD.

can we use the certificate that we bought for clients also ?(it is wildcard cert)

You may be able to, but I don't know how to configure that.  We used AD CA certs, it was easier.  To sign individual certs with the purchased one, I don't think you can do that.

Hello

How did you generate user certificates from AD?

Which template did you use?

Did you generate a Gateway Certificate too?

Thanks

User certificates were created from Window's Server Cert Authority - we obtain user certs this way https://domaincontroller/certsrv since that is where our certificate authority is as the moment. If you are logged in with the user then they just simply walk through the process and it add's it to their machine.

I'm not sure I understand the Gateway cert question, we generated a third party cert and specified both in the portal / gateway this cert for our server cert. I also had to use our internal root cert to handle the user cert authentication.

Hello

My question is about the type of certificate you have to issue as there are several templates on the Windows CA

I believe all you need is a user certificate.  When going to the certsrv in a web browser, logging in with the user name/password - for us just generates a user certificate.

  • 1 accepted solution
  • 12832 Views
  • 14 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!