06-19-2013 06:34 AM
Hello
I had tested to connect global protect with client cert successful in my lab.(PANOS-5.0.x)
I am installing global protect on my custom device.(PANOS-5.0.x)
But I don't connect with 'client cert invalid' message.
I had installed the following in my lab at old days.
1. self generated certificate.
2. subject > common-name. profile name is 'test'
3. Portal configuration (authentication profile : local DB , client certificate : none , certificate profile : none)
4. Gateway configuration (authentication profile : none , certificate profile : 'test')
5. import certificate into my laptop.
6. connecting GP -> portal auth localdb(id/pw) successful -> gateway auth client cert(username : uquest) successful
I am installing the following in my custom device.
1. FW is imported certificate issuer by window CA server.
subject : /C=KR/ST=Seoul/O=paloalto/OU=paloalto/CN=pa.paloalto.co.kr
issuer : /DC=local/DC=paloalto/CN=paloalto-CA
2. certificate profile : name 'test01'
username field - subject - common name
domain : pa.paloalto.co.kr
3. Portal configuration (authentication profile local DB , client certificate : none , certificate profile : none)
4. Gateway configuration (authentication profile : none , certificate profile : 'test01')
5. import certificate into my laptop.
6. connecting GP -> portal auth localdb(id/pw) successful -> gateway auth client cert(username : none) fail.
Error message is client cert invalid.
I don't know what missed configuration and problem.
Please let me know resolved way.
Thanks.
06-19-2013 08:16 AM
did you see that https://live.paloaltonetworks.com/docs/DOC-1934
06-20-2013 01:06 AM
Hello gregory.screve1,
Thank you for your help.
I had seen this document your recommend.
I have modified certificate profile in portal configuration.
But I don't still connect GP with same error message.
Please let me know other resolved way.
06-20-2013 02:13 AM
In your portal config / Client Configuration, Have you well configure your Trusted root CA ?
Have you got either error or warning during commit ?
V.
06-20-2013 03:12 AM
see https://live.paloaltonetworks.com/message/26851#26851
If you use a self-signed or in-house cert, this feature prevents the client from getting an 'untrusted issuer' prompt when connecting to that gateway. If you are using a public CA with your gateway, you won't need to use this feature.
you need to define the CA root like that only if you use a trust root Ca that is not deployed on your client machine.
even you need it it doesn't block yours connection attempt, just a warning.
06-20-2013 03:32 AM
Hello VinceM,
Thank you for your information.
I have installed to choose client certificate in portal config / Client configuration / Trust Root CA.
But result is same. I don't connect GP with same error message.
I guess that FW does not read common name in certificate.
06-20-2013 04:05 AM
I had imported intermediate certificate for client certificate to FW.
My customer sent only this certificate issuer by private Window CA.
Do I need root certificate? Then Will I have to configure root certificate in portal config / Client configuration / Trust Root CA????
06-20-2013 04:47 AM
I think you have to chain the certificat on the paloalto
see https://live.paloaltonetworks.com/docs/DOC-1937
page 32 you could find an example to chain the certificat
and on your device you need to install the trust root CA and the intermediate
you could obtain more information about your issue if you activate the troubleshooting on the global protect agent on your user device.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
