client cert invalid message when connecting global protect with client cert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

client cert invalid message when connecting global protect with client cert

L4 Transporter

Hello

I had tested to connect global protect with client cert successful in my lab.(PANOS-5.0.x)

I am installing global protect on my custom device.(PANOS-5.0.x)

But I don't connect with 'client cert invalid' message.

I had installed the following in my lab at old days.

1.png

1. self generated certificate.

2.png

2. subject > common-name. profile name is 'test'

3. Portal configuration (authentication profile : local DB , client certificate : none , certificate profile : none)

4. Gateway configuration (authentication profile : none , certificate profile : 'test')

5. import certificate into my laptop.

6. connecting GP -> portal auth localdb(id/pw) successful -> gateway auth client cert(username : uquest) successful

I am installing the following in my custom device.

1. FW is imported certificate issuer by window CA server.

   subject : /C=KR/ST=Seoul/O=paloalto/OU=paloalto/CN=pa.paloalto.co.kr

   issuer : /DC=local/DC=paloalto/CN=paloalto-CA

2. certificate profile : name 'test01'

    username field - subject  - common name

    domain : pa.paloalto.co.kr

3. Portal configuration (authentication profile local DB , client certificate : none , certificate profile : none)

4. Gateway configuration (authentication profile : none , certificate profile : 'test01')

5. import certificate into my laptop.

6. connecting GP -> portal auth localdb(id/pw) successful -> gateway auth client cert(username : none) fail.

    Error message is client cert invalid.

3.png

I don't know what missed configuration and problem.

Please let me know resolved way.

Thanks.

8 REPLIES 8

L4 Transporter

L4 Transporter

in step 3 3. Portal configuration (authentication profile local DB , client certificate : none , certificate profile : none)

you forgot certificat profile

Hello gregory.screve1,

Thank you for your help.

I had seen this document your recommend.

I have modified certificate profile in portal configuration.

But I don't still connect GP with same error message.

Please let me know other resolved way.

In your portal config / Client Configuration, Have you well configure your Trusted root CA ?

Have you got either error or warning during commit ?

V.

see https://live.paloaltonetworks.com/message/26851#26851


If you use a self-signed or in-house cert, this feature prevents the client from getting an 'untrusted issuer' prompt when connecting to that gateway. If you are using a public CA with your gateway, you won't need to use this feature.


you need to define the CA root like that only if you use a trust  root Ca that is not deployed on your client machine.

even you need it it doesn't block yours connection attempt, just a warning.

Hello VinceM,

Thank you for your information.

I have installed to choose client certificate in portal config / Client configuration / Trust Root CA.

But result is same. I don't connect GP with same error message.

I guess that FW does not read common name in certificate.

I had imported intermediate certificate for client certificate to FW.

My customer sent only this certificate issuer by private Window CA.

Do I need root certificate? Then Will I have to configure root certificate in portal config / Client configuration / Trust Root CA????

I think you have to chain the certificat on the paloalto

see https://live.paloaltonetworks.com/docs/DOC-1937

page 32 you could find an example to chain the certificat

and on your device you need to install the trust root CA and the intermediate

you could obtain more information about your issue if you activate the troubleshooting on the global protect agent on your user device.

  • 7034 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!