Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Global protect VPN server certificate error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect VPN server certificate error

L0 Member

Hi All,

 

I am new to this community I am here to get some help on a issue I am experiencing with my organization vpn network gp vpn server certificate is not trusted.

Here is the error screenshot.

image.png

Any help to troubleshoot this issue would be greatly appreciated 👍

 

Regards

Sanjib

1 accepted solution

Accepted Solutions

L6 Presenter

I agree with @BPry if this is an existing deployment with nothing new it seems odd that this error is just randomly occurring.  At face value there's 2 things going on here.  Either the certificate being presented by the firewall isn't trusted by the machine that's trying to connect to the VPN (meaning you are missing at least one of the following in the local machine cert store:  root, intermediate, or issuer.)  Option 2 is the certificate is expired and inherently will be untrusted.

 

There are be other more intricate issues like @BPry mentioned with the cert name not matching the SN/SAN (subject alternative name)  -- This wouldn't make sense though to "just have broken" with nothing else being changed.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

@Sanjib1549,

I'm assuming that this is a new configuration and not an existing configuration. You'll either need to get a certificate that is signed by a public trusted certificate authority, an internal certificate authority trusted by your endpoints, or utilize a self-signed certificate and deploy out the certificate to your endpoints.

I don't recommend utilizing an IP for VPN personally and would recommend setting up an FQDN, but if you're going to utilize an IP it needs to be listed as a SAN for modern browsers to accept it as well. I wouldn't recommend relying solely on IP instead of a DNS entry in a production environment however.

Thanks for your assistance it is actually not a new configuration I am actually need some references article or documents if I can get a that will be helpful.

 

Regards

Sanjib

L6 Presenter

I agree with @BPry if this is an existing deployment with nothing new it seems odd that this error is just randomly occurring.  At face value there's 2 things going on here.  Either the certificate being presented by the firewall isn't trusted by the machine that's trying to connect to the VPN (meaning you are missing at least one of the following in the local machine cert store:  root, intermediate, or issuer.)  Option 2 is the certificate is expired and inherently will be untrusted.

 

There are be other more intricate issues like @BPry mentioned with the cert name not matching the SN/SAN (subject alternative name)  -- This wouldn't make sense though to "just have broken" with nothing else being changed.

  • 1 accepted solution
  • 1309 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!