Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Certificate not valid

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Certificate not valid

L1 Bithead

I am trying to setup Machine authentication, where it actually validates the machine certificate, I have a PKI infrastructure, that pushes certificates to the machines, with there name in Common Name, and SAN, of the machine hostname. 

On they Certificate Profile i have enabled CRL, and added both Root and intermediate CA, and set username to subject, and then i have enabled the 4 "block session" checkmarks.

 

As soon as i enable the "Block sessions if the certificate was not issued to the authenticating device", i cannot login and GP gives me an error that i need a valid certificate.  

 

I have also tryed adding the domain and Certificate template, but that did not help

 

Firewall is 1410, running 11.1.4-h1, agent running 6.3.1

Any idear on what i am dooing wrong ?

4 REPLIES 4

L6 Presenter

How are you implementing your client certificates? The Host ID certificate check references a unique ID on the machine retrieved from the GP client and a serial number in the subject of the certificate. You can see the unique IDs it references per host OS in the manual here in the "Host ID" section:

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/globalprotect/objects-global...

 

So for a Windows machine the subject has to include the MachineGuid from the registry. It is not the machine name (CN) that most people would make their client certificates from. It is an optional field and basically no one normally creates a cert with a serial number. (Note this is not the serial number of the certificate itself, this is a serial number in the subject of the cert).

 

So a normal internal machine certificate for machine "mylaptop.example.local" would have a subject like:

CN = mylaptop

OU = EmployeePCs

DC = example

DC  = local

 

I haven't done this before, but I believe you need to create an internal client certificate with a subject like this:

CN = mylaptop

serialNumber = c828ea23-62ab-9a3d-56a90ecb2027

OU = EmployeePCs

DC = example

DC  = local

 

This requires redoing your PKI certificate templates to create the new cert form automatically during your AD joining/etc.

In what part of of the certificate should this be added to the CN or SAN. the CN can to ny knowledge only contain one name which is usally the FQDN. 

if it is added to the SAN, in what format
GUID = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx  (Like Cisco ISE)

Serial = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 

 

Can this be used without HIP ?

Serial of the machine is usally different from Machine ID, should i use the serial or the Machine ID ? so should it be
host id = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ?

L0 Member

Thank you so much for the information.

  • 67874 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!