11-09-2023 02:08 PM - edited 11-09-2023 05:56 PM
Hello everyone,
I am trying to make a self-signed cert for use with Global-Protect in my lab. I go into Device, Certificates, Generate, give the cert a name, Root_GP_Cert, common name of 192.168.189.155 which is the WAN side IP Address. Click the Certificate Authority box and click ok. Then I click on Generate again, this time I use a different name, common name is 192.168.189.155 and I select the Root_GP_Cert in the Signed By drop-down box and I give a Certificate Attribute of IP Address 192.168.189.155 but it gives me the error of: Failed to insert certificate into configuration. Only self signed CA certificates can have identical subject and issuer fields.
I watch youtube videos and follow along, works for them, not for me! Suggestions? Really easy but can't figure it out! Thanks - Geoff
11-10-2023 01:33 PM
You need to get the naming convention correct. If you create a root authority on the PA, make the CN something like firewall.domain_root_ca.domain.com. Then when you click on it, you'll see the CN and issuer are the same. No other cert can have the name firewall1.domain.com_root_ca.domain.com or it will conflict with the common name of the root.
After you create the issuing authority, it can issue the cert you want to use for testing with the IP address as the CN.
Do you not have internal PKI that can issue certificates for use on the PA? Whatever endpoint you'll use for testing won't trust the certificate bound for GP unless you export the root certificate from the PA and import on your test machine.
11-10-2023 01:33 PM
You need to get the naming convention correct. If you create a root authority on the PA, make the CN something like firewall.domain_root_ca.domain.com. Then when you click on it, you'll see the CN and issuer are the same. No other cert can have the name firewall1.domain.com_root_ca.domain.com or it will conflict with the common name of the root.
After you create the issuing authority, it can issue the cert you want to use for testing with the IP address as the CN.
Do you not have internal PKI that can issue certificates for use on the PA? Whatever endpoint you'll use for testing won't trust the certificate bound for GP unless you export the root certificate from the PA and import on your test machine.
11-11-2023 09:51 PM
Hello @rmfalconer you are (as you know) correct! I watched a Beacon Module on this last night. Yes I was doing it wrong, even though on youtube I was following along. In any case, may thanks for replying and pointing me in the right direction!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
