Sectigo wildcard certificate problem for Globalprotect

Reply
Highlighted
L0 Member

Sectigo wildcard certificate problem for Globalprotect

Dear Community,

 

I've recently purchased a wildcard certificate, that I intend to use it on our firewall for globalprotect. It is a single device, and gateway is configured as external gateway (it provides only vpn access from the external world). I've installed the certificate, without any issue, but CA is not ticked on that. Therefore I cannot select this certificate at Portal/Agent/Trusted root ca, and I get error on the client side, with certificate error.


If I create a self signed certificate to use it for the Gateway, and I use the wildcard for the Portal, client can connect, but then the browser is arguing about bad certificate.

 

I read something about Sectigo not listed in the default trusted certificate authorities, can that cause the problem? How can I resolve this issue, to keep the official certificate for the whole chain?

 

I'm using Pan OS 9.1

KovBal

Accepted Solutions
Highlighted
L3 Networker

Re: Sectigo wildcard certificate problem for Globalprotect

You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.

If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).

View solution in original post


All Replies
Highlighted
L3 Networker

Re: Sectigo wildcard certificate problem for Globalprotect

You don't need a CA for the portal, neither for the gateway. Using the wildcard certificate should work fine.

If you intend to use certificate based authentication (user and/or machine certificate), then you need a CA which signes the user/machine certificates. This CA needs to be listed as trusted CA in the portal (the portal will then only accept the certificate if it is signed by the "trusted CA" you have listed).

View solution in original post

Highlighted
L0 Member

Re: Sectigo wildcard certificate problem for Globalprotect

Thanks, I've managed to puzzle it together. The final revelation was to use the fqdn name as the external gateway, not the ip.

 

Case can be closed as resolved

KovBal
Highlighted
L2 Linker

Re: Sectigo wildcard certificate problem for Globalprotect

did you face any issue for global protect on 30 May 2020  due to sectigo cert ?

Highlighted
L4 Transporter

Re: Sectigo wildcard certificate problem for Globalprotect

I have an issue with a sectigo secured site today that I would use relativly often without issue. PA says expired  certificate.

Highlighted
L0 Member

Re: Sectigo wildcard certificate problem for Globalprotect

We're seeing the same on our end. Adding the root CA to device certs (with Trusted Root CA checked) hasn't resolved either.

Highlighted
L2 Linker

Re: Sectigo wildcard certificate problem for Globalprotect

@RyanHenckel   @RobinClayton

 

please update if you got any solution. Currently for workaround we are using self-signed cert.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!