01-14-2016 05:45 PM
This is on a PA-3020 running PAN-OS 7.0.4.
I've always manually chained certificates when installed an SSL certificate for Global Protect. I decided to see if I could install the SSL certificate and the Intermediate certificates separately and see if it would work. I configured Global Protect Portal > Agent Configuration > Trusted Root CA with the GoDaddy G2_G1 certificate provided by GoDaddy.
When I log into Global Protect, I do not get the 'untrusted certificate' error. However, when I check Keychain on my Mac, it only shows the client certificate installed, not the GoDaddy intermediate, and the certificate is labeled as 'signed by unknow authority'.
My questions:
1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?
2. Is it still recommended to manually create the certificate chain or use this method?
The reason I'm trying not to chain them is because the client wants his SSL certificate to update via OCSP and it just doesn't do that if it's manually chained.
Thanks.
01-14-2016 10:36 PM - edited 01-14-2016 11:15 PM
01-14-2016 08:46 PM - edited 01-14-2016 10:19 PM
1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?
It pushes the root ca to client. Client performs certificate checks when user connect to the GlobalProtect gateway.
2. Is it still recommended to manually create the certificate chain or use this method?
Hope this helps!
01-14-2016 09:54 PM
That's what's weird. I thought it pushed the Root CA to the client.
When I check Keychain on my Mac, the client's certificate is there but the CA Root is not. The client certificate just shows that's it's signed by an unknown signer.
I searched the keychain and could not find the Root CAs that should be being pushed down.
Regards,
Matt
01-14-2016 10:06 PM
It pushes the root ca to client. Client performs certificate checks when user connect to the GlobalProtect gateway.
01-14-2016 10:11 PM
But I'm seeing it doesn't add it to the local keychain on the PC. Only the client certificate is being added.
Shouldn't the Root CA be added to the keychain?
Regards,
Matt
01-14-2016 10:15 PM
It will not be added.
From the admin guide:
"As a best practice, always deploy the trusted root CA certificates in the client configuration to ensure that the agents/apps perform the certificate checks to validate the identity of the gateway before establishing a connection. This prevents the agents/apps from falling prey to man-in-the-middle attacks"
Have you tried in windows system? May be godaddy intermediate root ca is not present on the local machine that's why it is showing was unknow signing authority.
01-14-2016 10:17 PM - edited 01-14-2016 10:19 PM
01-14-2016 10:36 PM - edited 01-14-2016 11:15 PM
I guess certificate chain will help here.
01-25-2016 04:57 PM
Sorry for the delay.
So the choices become:
1. Manually chained. Then the Mac's keychain will show the certificate as complete.
2. Leave as is. The client gets no error during GP login but the keychain on the machine just shows the cert signed by an unknown CA.
User's don't actually go there to check anyway. They just don't want to see those pesky pop-ups about untrusted cert. So, I'm going to leave it as is.
Thank you for the response.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
