Self-Signed Certificate Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Self-Signed Certificate Issues

L3 Networker

Hello everyone,

 

I am trying to make a self-signed cert for use with Global-Protect in my lab. I go into Device, Certificates, Generate, give the cert a name, Root_GP_Cert, common name of 192.168.189.155 which is the WAN side IP Address. Click the Certificate Authority box and click ok. Then I click on Generate again, this time I use a different name, common name is 192.168.189.155 and I select the Root_GP_Cert in the Signed By drop-down box and I give a Certificate Attribute of IP Address 192.168.189.155 but it gives me the error of: Failed to insert certificate into configuration. Only self signed CA certificates can have identical subject and issuer fields.

 

I watch youtube videos and follow along, works for them, not for me! Suggestions? Really easy but can't figure it out! Thanks - Geoff

1 accepted solution

Accepted Solutions

L5 Sessionator

You need to get the naming convention correct. If you create a root authority on the PA, make the CN something like firewall.domain_root_ca.domain.com. Then when you click on it, you'll see the CN and issuer are the same. No other cert can have the name firewall1.domain.com_root_ca.domain.com or it will conflict with the common name of the root. 

After you create the issuing authority, it can issue the cert you want to use for testing with the IP address as the CN. 

Do you not have internal PKI that can issue certificates for use on the PA? Whatever endpoint you'll use for testing won't trust the certificate bound for GP unless you export the root certificate from the PA and import on your test machine.

View solution in original post

2 REPLIES 2

L5 Sessionator

You need to get the naming convention correct. If you create a root authority on the PA, make the CN something like firewall.domain_root_ca.domain.com. Then when you click on it, you'll see the CN and issuer are the same. No other cert can have the name firewall1.domain.com_root_ca.domain.com or it will conflict with the common name of the root. 

After you create the issuing authority, it can issue the cert you want to use for testing with the IP address as the CN. 

Do you not have internal PKI that can issue certificates for use on the PA? Whatever endpoint you'll use for testing won't trust the certificate bound for GP unless you export the root certificate from the PA and import on your test machine.

L3 Networker

Hello @rmfalconer you are (as you know) correct! I watched a Beacon Module on this last night. Yes I was doing it wrong, even though on youtube I was following along. In any case, may thanks for replying and pointing me in the right direction!

  • 1 accepted solution
  • 3354 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!