I have a users who plan to connect their phones (To use a soft phone app for the PABX) and laptops to the internal network from outside, i have setup the global connect gateway and portal and tried to use self signed cert but it is not working, now i need to use a CA to generate a signed certificate and i have two questions:
1. Which CA do you recommend if you have do this before?
2. Should i have root and identity certificates?
If it's self-signed by the PA, you would have to distribute the root cert from the PA to all of the phones. The problem is the phones don't trust the identity cert presented because they don't trust the CA that issued it.
Are the phones typical mobile phones? If you purchase a cert from a trusted authority, you shouldn't need to worry about distributing any root or intermediate certs to the phones. They should already have those in their trusted authority store.
Public CAs do have root and intermediate certs available for download so you can install them on devices/appliances that don't have built-in stores.
Thanks @rmfalconer yes the phones are cell phones (Samsung, iPhone...etc), i will use GoDaddy to generate my certificate.
Will Godaddy provide me with a root and intermediate certificates because they told me that they provide root certificate only? Do i need to import the root and the intermediate certificates to Paloalto firewall and what is the difference between root and intermediate ?
I'm not familiar with what GoDaddy provides exactly but I would expect they have a cert repository publicly available where you can download anything you need. Also, after creating the cert, there is probably a way to download a single file that contains root, intermediate and entity certs.
There should be plenty of documentation on importing the certificate chain to the PA.
For the difference in root and intermediate, you can read about certificate chains and that should explain it.
Finally i created the certificate from godaddy but i have an issue, when i tried to create the certificate from godaddy it ask me to provide the domain name instead of the public outside interface ip which i assigned and for that i asked the domain administrator to create a subdomain from the main domain to use it in generating the CSR file. The administrator created the subdomain and because the domain is hosted in the cloud not in a local servers he map the subdomain to the public ip for the outside interface.
When i use a dns lookup to verify that the dns resolve the subdomain to my public ip it gives me two IPs, the first is my public and the other is the main domain hosted server public ip.
Now i am trying to connect from my mobile phone to my gateway but it keeps give me "Connot Verify Server Identity", what is the problem now that prevents me from connecting to my gateway???
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!