Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

L3 Networker

Hi Folks,

 

Our GP VPN Portal and Gateway Certificate had expired recently. When we created an new self signed certificate on Palo Alto firewall and mapped it to GP VPN Portal and Gateway.

 

We are able to connect to portal and Gateway and it is working fine for windows and Android device. 

 

But when we try to connect to GP Portal through IOS device we are successfully authenticated into the portal but not able to connect to Gateway.

 

Checked the GP Logs collected from the Apple IOS Device and could see the Portal authentication is being succeeded and connected. HIP report is also being send by the IOS device but the IOS device is not establishing connectivity to the Gateway and showing the below error:

        {
        Certificate = "<cert(0x105829a00) s: x.x.x.x i: x.x.x.x>";
        Property =         {
            type = error;
            value = "Policy requirements not met.";

        };
    }
)}
connectTimeout: 5
receiveTimeout: 30
responseData(0): 

P1363-T14087 10/21/2021 18:14:07:926 Debug( 482): error detail is Server cert verification failed
P1363-T14087 10/21/2021 18:14:07:926 Info ( 305): Session <__NSURLSessionLocal: 0x104c4f2e0> set to (null)
P1363-T14087 10/21/2021 18:14:07:926 Debug( 331): m_errorDetails is Server cert verification failed
.
 

Checked some documentation and came to know IOS device will only establish connectivity with an server if the certificate met some requirements set by apple.

 

GLOBAL PROTECT DOESN'T CONNECT IN IOS 13 AND MACOS 10.15 DUE TO" SERVER CERTIFICATE VERIFICATION FAILED":
 
Requirements for trusted certificates in iOS 13 and macOS 10.15(Apple Documentation)
https://support.apple.com/en-in/HT210176
 
 
Is there any idea on how to create an self signed certificate on Palo Alto firewall that will be compactible with IOS 15 and 14 device certificate requirements ?
 
 
Thanks in advance!!

 

2 REPLIES 2

L4 Transporter

make sure your self-signed comply with this also:
https://support.apple.com/en-us/HT211025
you can make the self-signed root CA trusted under your IOS device settings: Settings > General > About > Certificate Trust Settings then enable full trust for that CA.

L0 Member

Ensure that the SSL cert has a SAN (Host Name in Certificate attributes) that matches the CN/FQDN.  Make sure the Cert follows Apple's req's, including the validity <=825 days.  Add the Root Certificate to the Apple device trust store (you can email yourself the root cert and open it on the iPhone to get it into your trust store via profiles).  Then Follow Abdul-Fattah's recommendation to trust the self-signed Root.

  • 5290 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!