cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Certificate for Global Connect

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
DerarAbubaker
L2 Linker
‎11-10-2019 01:04 AM
‎11-10-2019 01:04 AM

SSL Certificate for Global Connect

Hi All,

 

I have a users who plan to connect their phones (To use a soft phone app for the PABX) and laptops to the internal network from outside, i have setup the global connect gateway and portal and tried to use self signed cert but it is not working, now i need to use a CA to generate a signed certificate and i have two questions:
1. Which CA do you recommend if you have do this before?
2. Should i have root and identity certificates?

0 Likes
Reply
Highlighted
rmfalconer
L4 Transporter
‎11-11-2019 03:00 PM
‎11-11-2019 03:00 PM

Where are you using the self-signed cert? For what function?

Popular public CAs are Comodo, Digicert and Godaddy. Any of these should already be included as a trusted root cert authority on your endpoints.

0 Likes
Reply
Highlighted
DerarAbubaker
L2 Linker
‎11-13-2019 02:43 AM
‎11-13-2019 02:43 AM

I have tried to use self signed cert instead of using a signed one from a public CA, but the phones refused to connect.

 

What kind of certificates should i import? Root and Intermediate ? Does the public CA provide me the root and the intermediate certificates?

0 Likes
Reply
Highlighted
rmfalconer
L4 Transporter
‎11-13-2019 08:44 AM
‎11-13-2019 08:44 AM

If it's self-signed by the PA, you would have to distribute the root cert from the PA to all of the phones. The problem is the phones don't trust the identity cert presented because they don't trust the CA that issued it. 

Are the phones typical mobile phones? If you purchase a cert from a trusted authority, you shouldn't need to worry about distributing any root or intermediate certs to the phones. They should already have those in their trusted authority store.

Public CAs do have root and intermediate certs available for download so you can install them on devices/appliances that don't have built-in stores.

0 Likes
Reply
Highlighted
DerarAbubaker
L2 Linker
‎11-14-2019 05:28 AM
‎11-14-2019 05:28 AM

Thanks @rmfalconer yes the phones are cell phones (Samsung, iPhone...etc), i will use GoDaddy to generate my certificate.

 

Will Godaddy provide me with a root and intermediate certificates because they told me that they provide root certificate only? Do i need to import the root and the intermediate certificates to Paloalto firewall and what is the difference between root and intermediate ?

0 Likes
Reply
Highlighted
rmfalconer
L4 Transporter
‎11-14-2019 10:16 AM
‎11-14-2019 10:16 AM

I'm not familiar with what GoDaddy provides exactly but I would expect they have a cert repository publicly available where you can download anything you need. Also, after creating the cert, there is probably a way to download a single file that contains root, intermediate and entity certs.

There should be plenty of documentation on importing the certificate chain to the PA. 

For the difference in root and intermediate, you can read about certificate chains and that should explain it.

 

0 Likes
Reply
Highlighted
DerarAbubaker
L2 Linker
‎11-28-2019 03:40 AM
‎11-28-2019 03:40 AM

Finally i created the certificate from godaddy but i have an issue, when i tried to create the certificate from godaddy it ask me to provide the domain name instead of the public outside interface ip which i assigned and for that i asked the domain administrator to create a subdomain from the main domain to use it in generating the CSR file. The administrator created the subdomain and because the domain is hosted in the cloud not in a local servers he map the subdomain to the public ip for the outside interface.

When i use a dns lookup to verify that the dns resolve the subdomain to my public ip it gives me two IPs, the first is my public and the other is the main domain hosted server public ip.

Now i am trying to connect from my mobile phone to my gateway but it keeps give me "Connot Verify Server Identity", what is the problem now that prevents me from connecting to my gateway???

 

Connot Verify Server Identity.jpg

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks