UserID Agent version 9.0.5-8
Windows Server 2016 UserID Agent Servers x2
I've tried following this guide and numerous others (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGFCA0)
Keep getting 'Failed to validate client certificate, thread : 1 , 5-10054!' as shown at the very bottom of the aforementioned support article and seeing SSL failures in the system log of the firewall.
I've tried generating the cert about a hundred different ways and formats on the server/firewall, and I still get the issue. I've tried using IP, FQDN, Subject-Alternative-Name including IP, Hostname, FQDN, one all or any. Port 5007 is open and the server worked previously. Now my certificate is stuck in the User-ID software and I cant delete it or use the server any longer with the firewall for regular user ID which is annoying. There is no delete/remove button to take the cert back out of the software so I pretty much have to get this working now as I'm down to 1 User-ID box.
At this point I'm missing something fundamental, like a check box on the firewall or some hidden thing. I've installed certificates for Decrypt in and out, Management address, and all sorts of certificates and never had any problems until this. Has anyone successfully set this up and they can walk me through how you did it and maybe I can see my error? I have heard that IP address must be used in the SAN attribute, but that didn't work either.
There are really no tricks...
Here's a working config I just did in my lab. It might give you an idea of what went wrong with your setup.
On the PA Firewall:
No need to enter any other information as this is to create a self signed cert later
On the UserID server:
Hope that helps!
If this is mission critical I would say call TAC and get their assistance. While I have never set this up myself, I have setup other things and usually missed something simple, not saying you haven't gone over this a bunch of times.
I posted a full how-to earlier but it has never been published... There might be a delay or a bug somewhere in the forum...
Anyways, it should not be a issue.
Make sure the certificate you import in the client is fully recognized by the PA firewall (including the root CA that signed this certificate - the attached certificate profile should be linked to this root CA...). Regarding the SAN, I just added the IP address in the certificate. Worked well 1st time.
Hope that helps... and maybe the full description I did this morning will be posted eventually.
The example that @Rievax wrote up is great and definitely works perfectly fine. The one thing that I would say is that if you have this certificate signed by an external CA, be sure that you actually have the full cert chain in the certificate profile. You may have to manually chain the certificates if it's signed by an intermediary to get things to work properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!