Sectigo wildcard certificate problem for Globalprotect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Sectigo wildcard certificate problem for Globalprotect

L0 Member

Dear Community,

 

I've recently purchased a wildcard certificate, that I intend to use it on our firewall for globalprotect. It is a single device, and gateway is configured as external gateway (it provides only vpn access from the external world). I've installed the certificate, without any issue, but CA is not ticked on that. Therefore I cannot select this certificate at Portal/Agent/Trusted root ca, and I get error on the client side, with certificate error.


If I create a self signed certificate to use it for the Gateway, and I use the wildcard for the Portal, client can connect, but then the browser is arguing about bad certificate.

 

I read something about Sectigo not listed in the default trusted certificate authorities, can that cause the problem? How can I resolve this issue, to keep the official certificate for the whole chain?

 

I'm using Pan OS 9.1

KovBal
1 accepted solution

Accepted Solutions

L4 Transporter

You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.

If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).

View solution in original post

6 REPLIES 6

L4 Transporter

You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.

If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).

Thanks, I've managed to puzzle it together. The final revelation was to use the fqdn name as the external gateway, not the ip.

 

Case can be closed as resolved 🙂

KovBal

L3 Networker

did you face any issue for global protect on 30 May 2020  due to sectigo cert ?

I have an issue with a sectigo secured site today that I would use relativly often without issue. PA says expired  certificate.

We're seeing the same on our end. Adding the root CA to device certs (with Trusted Root CA checked) hasn't resolved either.

@RyanHenckel   @RobinClayton

 

please update if you got any solution. Currently for workaround we are using self-signed cert.

  • 1 accepted solution
  • 6786 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!