Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

L3 Networker



Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Machine Store? I tired giving the user perm but this didnt fix it. Only way to resolve it is to move the cert to the user store, which I dont want to do.





It does, I've attached a screen shot of my config.  The green is the self-signed, the blue is our root ca, and red is an intermediate that signed the cert that was deployed to the workstation.

In your GP portal configuration, do you have a certificate profile applied?

In the portal config I do not, but in the gateway I do.  It is when I switch it from the prelogon-cert profile to the internal-PKI profile that I encounter the 'required client cert not found' error.

Do you have a way to distribute a cert to the user store? There could be a permission issue with accessing the computer cert store to verify the correct certificate.

I do not and would actually like to avoid that as I would prefer the machine certificate not follow the user, wherever they login.


Out of curiosity do you, or @MickBall, have pre-logon setup using certs auto-enrolled from AD; or are you using the SCEP functionality, or manually generating and importing certs?

We generate machine certs and user certs, both scoped to specific AD groups. We use certs for more than just VPN so we have a need to deploy both.

I do not use pre logon, it doesn’t really suit our requitements. 

I use both pki and self signed.


pki user certs go into user store for globalprotect.

pki machine certs go into machine store for network access control.


self signed certs are distributed to 3rd party support and non domain maccy stuff.....


one thing i have noticed is that our machine certs cannot be used for gp as the cert profile is looking for subject field and the machine certs do not contain this information. Perhaps thats your issue...


@MickBall @rmfalconer 


Just a follow up as I opened up a TAC case for this issue.  It turns out that the version of PanOS we are on 8.0.13 does not support SHA512, which is what our internal PKI CAs are hashed with.

Did you upgrade OS , just to know if that fixed your issue ?

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!