03-21-2020 01:53 PM
Dear Community,
I've recently purchased a wildcard certificate, that I intend to use it on our firewall for globalprotect. It is a single device, and gateway is configured as external gateway (it provides only vpn access from the external world). I've installed the certificate, without any issue, but CA is not ticked on that. Therefore I cannot select this certificate at Portal/Agent/Trusted root ca, and I get error on the client side, with certificate error.
If I create a self signed certificate to use it for the Gateway, and I use the wildcard for the Portal, client can connect, but then the browser is arguing about bad certificate.
I read something about Sectigo not listed in the default trusted certificate authorities, can that cause the problem? How can I resolve this issue, to keep the official certificate for the whole chain?
I'm using Pan OS 9.1
03-21-2020 02:34 PM
You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.
If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).
03-21-2020 02:34 PM
You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.
If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).
03-21-2020 03:04 PM
Thanks, I've managed to puzzle it together. The final revelation was to use the fqdn name as the external gateway, not the ip.
Case can be closed as resolved 🙂
06-01-2020 12:51 AM
did you face any issue for global protect on 30 May 2020 due to sectigo cert ?
06-01-2020 02:43 AM
I have an issue with a sectigo secured site today that I would use relativly often without issue. PA says expired certificate.
06-01-2020 09:51 AM
We're seeing the same on our end. Adding the root CA to device certs (with Trusted Root CA checked) hasn't resolved either.
06-02-2020 02:45 AM
please update if you got any solution. Currently for workaround we are using self-signed cert.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
