Hate to res an old topic, but I am having this very issue as well. Running 4.1.8 GP, have AD auto-enrolling workstations for certificates which only places the certificate in the machine store. The GP Client is setup to look for certificates in the machine store (not both) and I am still getting errors connecting with an error stating 'required client cert not found'.
Can we assume you can see the cert in the machines personal store when using the mmc.
have you tried this firstly with a self signed cert, generate a user cert and manually import into comp store.
pretty basic stuff but may be worth going back a few steps to see if its a cert read error or pki issue.
Thanks for the reply, and good call. I re-imported the self-signed cert (generated by the firewall) I used as a PoC for pre-logon only in the machine store and was able to connect.... Though this leaves me scratching my head the certs permissions are identical, both have the private keys, share the same signature algorithms etc.
The only differences I see are the self-signed cert has an additional 'Intended Purpose' of IP Security end system, and the cert CN. The self-signed is just some bogus name I made for testing purposes, and the PKI issued one is my machines FQDN.
The certificate profiles in use for the PKI has our Root and intermediate CAs defined with the rest as defaults, and the self-signed certificate profile has the firewalls CA defined with the rest of the options as default.
OK so does the PKI cert on the Palo have "Trusted Root CA" ticked....
kinda clutching at straws as you seem to have all you need.
I doubt if it's anything to do with the username field in the cert profile as that will cause a different error. "certificate invalid".
do you get the same error when you browse to https:\\your-portaldotsumfink
I do not and would actually like to avoid that as I would prefer the machine certificate not follow the user, wherever they login.
Out of curiosity do you, or @Mick_Ball, have pre-logon setup using certs auto-enrolled from AD; or are you using the SCEP functionality, or manually generating and importing certs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!