How to configure per-client certs on GlobalProtect?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to configure per-client certs on GlobalProtect?

L2 Linker

NOTE: the freeware pfsense firewall can configure a working VPN with user passwords and user certs (2FA) inside of 20 MINUTES. With Palo Alto Networks, I'm on WEEK 6.


Where I am at:
1) I have GlobalProtect working with password auth. (Had to call tech support, who knew what steps were missing from the documentation.)
2) I want to have 2FA: so, I spun up a CA (easy-rsa) to provide a CA cert, and generate per-user certs. (pfSense will just do this for you in the GUI, but I did the process described here:
3) I can get password + cert working with the unsupported Linux client. (

4) I can get password + cert working with the unsupported Linux client, using either my personal cert, or another user's personal cert. (WTF?)
5) We have tried and tried and tried again to "import" a personal cert on MacOS but anywhere we import a cert with the "Keychain Access" app GlobalProtect comes back with the same error: "The client certificate to establish the GlobalProtect connection was not found." 

Our client certs have Subject fields that look like this:
Subject: C=US, ST=CA, L=Menlo Park, O=Quantifind, OU=Ops, CN=user1/name=VPN/

Subject: C=US, ST=CA, L=Menlo Park, O=Quantifind, OU=Ops, CN=user2/name=VPN/


A) How in the name of all that is good do you get a user cert imported on MacOS?
B) My Certificate Profile is configured for Username Field: Subject (common-name) ... what should I have in there?
C) Or, are my cert Subject's in a form that won't work for GlobalProtect: what should they look like?




Accepted Solutions

PALO ALTO NETWORKS SECURITY VULNERABILITY: GlobalProtect 2FA password + certificate does not verify that certificate matches user

Reboot-between-experiments ... load up a virgin System ...


Certificate Profile > Username Field: Subject

Gateways > Authentication > Client Authentication *none*


User key like this:

Subject: C=US, ST=CA, L=Menlo Park, O=Quantifind, OU=Ops, CN=djh/name=Daniel Howard/


Mac GlobalProtect will load the key in PKCS12 format.
User shows up as djh.




Certificate Profile > Username Field: Subject

Gateways > Authentication > Client Authentication *LDAP*


Mac GlobalProtect will only let me log in as the user in the CN on the certificate.

This achieves 2FA:

  • User needs to have their SSL cert.
  • User needs to know their password.


On the unsupported Linux openconnect client, I can log in with any signed cert. There is no server-side enforcement that the user matches the certificate. This is a surprising vulnerability in a security product: that we rely on a client to enforce the server's authentication credentials.

View solution in original post


L2 Linker

Some progress, maybe:


In the Gateway config, on the Agent tab, there's an option to add a Trusted Root CA and check "Install in Local Root Certificate Store" which seems to help convince the Mac Keychain Access app that the certificate I am supplying is legit.

Per this article, the CN needs to match the Gateway, so my certs now read:
Subject: C=US, ST=CA, L=Menlo Park, O=Quantifind, OU=Ops,

The client error now reads:
Ganteway VPN-MTV: No valid certificate found. Please contact your IT administrator.

L2 Linker

I dug up the GlobalProtect logs on the client and found a message that the SSL service profile on the gateway was different from the root CA I was pushing from the portal. This is true, as it was using our comodo cert. I created a new cert for the gateway which is signed by my local CA, and did up a new SSL service profile, and now that error is gone. I can load any number of certificates onto the client Mac OS that are viewed as valid because they are signed by my CA. However, none of them ever get picked up by the GlobalConnect client and all I ever get on the Mac is a gateway error: No valid certificate found.


So, I'm stuck back where I have been.

Hi @dannyman


I'm not sure how using username and password plus user cert works on the PA.


we do have Mac's and IPads connecting with the above but have username/password  plus a device cert, not a user specific cert.


the certificate profile "username field" is set to "none".


going back a few years we did have issues trying to mix with both,


it may be just trying to set the cert profile to "none" to see if you still get the error.


are you only getting the errors on the gateways and not the portal.


@MickBall yes if I Certificate Profile == None then I can LDAP Auth just fine.

Maybe the way to do this is to try turning off LDAP Auth and see if I can get Cert Auth working on its own, then turn LDAP back on.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!