Certificate Error in Global Protect Portal

smithkopel · ‎01-31-2012

Hi All,

I'm trying to setup the Globalprotect VPN and have followed the (only partially helpful) GlobalProtect-Configuration-4.1.pdf to create certs and set everything up. When I try to connect to the portal site with my browser I get a certificate error - "Error code: sec_error_bad_signature".

It doesn't matter if I conect to the host name or the IP that I defined in the cert, I still get this error.

Does anyone know what the problem could be. Also, is there a way to actually see the certificates?

Thanks,

Kenton

LCMember2723 · ‎02-09-2012

Hi Kamish,

Thanks very much. I've been working away on this for hours before seeing you post. My last issue was the temptation to select a value for Client Certificate Profile in the Portal Config. Please also note that after I recreated all the certs and started again, I emptied my test client browser cache and purged the certs from the cert personal store.

Works nicely now with PA based CA cert.

smithkopel · ‎02-10-2012

@kamish do you then manually copy the certificates to the browsers on the machines that need to connect to the portal?

Kenton

mwalter · ‎02-10-2012

Using GlobalProtect with an external CA could be documented better I suppose. The most common mistake is that the certificate that is issued by the external CA is not imported back into PANOS together with the corresponding private key and certificate chain. Usually you'd import it as a PKCS12 file.

smithkopel · ‎02-10-2012

@mwalter my initial problems were not with a third-party CA. I was using the PA as the CA exactly as per the instructions and it still didn't work, even after sitting down with an SE. It wasn't until we did the single cert solution as documented in this thread that we were able to get it working.

gebis_it · ‎05-12-2012

@jambulo: Thanks! Works for me...

I wonder if PaloAlto is willing to change the documentation if its wrong or outdated. Otherwise, we are all following the wrong documentations.

LCMember380 · ‎06-11-2012

Following these changes sorted the issue for me. Thanks.

SistemasCajamar · ‎02-22-2013

Hello

I'm trying to use a certificate from our Corporate CA (Windows 2003) with GlobalConnect Gateway and Portal

I've loaded the certificate, the private key and the root certificate. I've marked the root certifcate as Trusted Root CA.

I've configured the gateway with the server certificate, but I get this error:

What kind of certificate should I issue ?

Chris.Perez · ‎06-24-2013

SistemasCajamar - Your MS PKI certificate template may not have the proper attributes set, such as client authentication, or IPSec.

acmi · ‎07-04-2013

Hi Kanish,

I followed your examples for creating certificates for Global Protect.. But for some reason the portal or connecting via the Global Protect Client do not work.. The Portal just times out and client doesn't produce any errors or authentication window..

It only seems to work when l use the "web-server" local host device certificate within the Firewall.. But l don't want to use this as it is generating CN Host mismatch errors from the Global Protect Client..

We are using PAN OS " 5.0.3 and Global Protect Client 1.2.4

Thanks any help would be appreciated..

SG

Certificate Error in Global Protect Portal

Certificate Error in Global Protect Portal

Show your appreciation!