Trusted Root CA Not Installed on Client?
cancel
Showing results for 
Search instead for 
Did you mean: 

Trusted Root CA Not Installed on Client?

L3 Networker

This is on a PA-3020 running PAN-OS 7.0.4.

 

I've always manually chained certificates when installed an SSL certificate for Global Protect.  I decided to see if I could install the SSL certificate and the Intermediate certificates separately and see if it would work.  I configured Global Protect Portal > Agent Configuration > Trusted Root CA with the GoDaddy G2_G1 certificate provided by GoDaddy.

 

When I log into Global Protect, I do not get the 'untrusted certificate' error.  However, when I check Keychain on my Mac, it only shows the client certificate installed, not the GoDaddy intermediate, and the certificate is labeled as 'signed by unknow authority'.

 

My questions:

 

1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?

2. Is it still recommended to manually create the certificate chain or use this method?  

 

The reason I'm trying not to chain them is because the client wants his SSL certificate to update via OCSP and it just doesn't do that if it's manually chained.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

I guess certificate chain will help here.

View solution in original post

8 REPLIES 8

L5 Sessionator

1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?

 

It pushes the root ca to client. Client performs certificate checks when user connect to the GlobalProtect gateway.

 

2. Is it still recommended to manually create the certificate chain or use this method?  

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Install-a-Chained-Certificate-Signed...

 

Hope this helps!

L3 Networker

That's what's weird.  I thought it pushed the Root CA to the client.

 

When I check Keychain on my Mac, the client's certificate is there but the CA Root is not.  The client certificate just shows that's it's signed by an unknown signer.

 

I searched the keychain and could not find the Root CAs that should be being pushed down.

 

Regards,

 

Matt

It pushes the root ca to client. Client performs certificate checks when user connect to the GlobalProtect gateway.

But I'm seeing it doesn't add it to the local keychain on the PC.  Only the client certificate is being added. 

 

Shouldn't the Root CA be added to the keychain?

 

Regards,

Matt

It will not be added.

 

From the admin guide:

 

"As a best practice, always deploy the trusted root CA certificates in the client configuration to ensure that the agents/apps perform the certificate checks to validate the identity of the gateway before establishing a connection. This prevents the agents/apps from falling prey to man-in-the-middle attacks"

 

Have you tried in windows system? May be godaddy intermediate root ca is not present on the local machine that's why it is showing was unknow signing authority.

I guess certificate chain will help here.

View solution in original post

Sorry for the delay.

 

So the choices become:

1. Manually chained.  Then the Mac's keychain will show the certificate as complete.

2.  Leave as is.  The client gets no error during GP login but the keychain on the machine just shows the cert signed by an unknown CA. 

 

User's don't actually go there to check anyway.  They just don't want to see those pesky pop-ups about untrusted cert.  So, I'm going to leave it as is.

 

Thank you for the response.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!