This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Certificate Chain Requirements from External CA for Global Protect

cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Certificate Chain Requirements from External CA for Global Protect

GP7337
L1 Bithead

‎02-06-2025 09:45 AM

Hi Everyone,


So I'm having issues configuring my GP as it does not allow me to select the server-cert from the TLS/SSL Service profile Window.

The server-cert is not even an option to select from within the window itself and when i try to import it from inside the TLS/SSL Service profile window - it imports but errors out saying the cert is invalid.

 

I noticed that the certificate chain I got from SSL.com that I imported doesn't have a check mark on the key column under the server cert, I only have a checkmark under the key column for the root cert which overwrote the CSR.

 

GP7337_1-1738863827766.png

 

So the question I have is - how do I get a key check mark to appear under the Server-Cert inside the cert chain?  Do I have the wrong type of SSL cert?  What am I missing?


Thanks in Advance Everyone!

0 Likes Likes
3 REPLIES 3

Naga_Chaturvedi
L2 Linker

‎02-06-2025 09:41 PM

As per the image it into firewall along with ROOT-CA cert private key is also imported, but for server/ssl cert only certificate is imported not key, Without private key it wont appear in SSL/TLS profile settings, Reimport the certificate along with private key.  

0 Likes Likes

GP7337
L1 Bithead

‎02-07-2025 07:11 AM

Hi Naga,

 

Thanks for your reply! 🙂

So this is part of the problem I don't have a key for the server cert specifically as the cert I received is part of a certificate bundle.

When I try to import the CSR key that was used to generate the external CA's certificate chain it errors out saying the key isn't valid.

So is there a specific attribute or a type of cert I need in order to get this to work? 

 

Thanks,

Gary

 

0 Likes Likes

GP7337
L1 Bithead
In response to GP7337

‎02-24-2025 07:01 AM

Just a heads up this was fixed - when you are importing the certs into the firewall do not overwrite the CSR until you are importing the server cert portion of the certificate chain.  This way the key will be paired properly with the server cert.
Hope this helps someone in the future 🙂

0 Likes Likes
  • 383 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks