This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Creating self signed Certificate for IOS device 14 and 15 on Palo Alto firewall

tamilvanan
L3 Networker

‎10-27-2021 01:09 AM

Hi Folks,

 

Our GP VPN Portal and Gateway Certificate had expired recently. When we created an new self signed certificate on Palo Alto firewall and mapped it to GP VPN Portal and Gateway.

 

We are able to connect to portal and Gateway and it is working fine for windows and Android device. 

 

But when we try to connect to GP Portal through IOS device we are successfully authenticated into the portal but not able to connect to Gateway.

 

Checked the GP Logs collected from the Apple IOS Device and could see the Portal authentication is being succeeded and connected. HIP report is also being send by the IOS device but the IOS device is not establishing connectivity to the Gateway and showing the below error:

        {
        Certificate = "<cert(0x105829a00) s: x.x.x.x i: x.x.x.x>";
        Property =         {
            type = error;
            value = "Policy requirements not met.";
        };
    }
)}
connectTimeout: 5
receiveTimeout: 30
responseData(0): 

P1363-T14087 10/21/2021 18:14:07:926 Debug( 482): error detail is Server cert verification failed
P1363-T14087 10/21/2021 18:14:07:926 Info ( 305): Session <__NSURLSessionLocal: 0x104c4f2e0> set to (null)
P1363-T14087 10/21/2021 18:14:07:926 Debug( 331): m_errorDetails is Server cert verification failed.
 

Checked some documentation and came to know IOS device will only establish connectivity with an server if the certificate met some requirements set by apple.

 

GLOBAL PROTECT DOESN'T CONNECT IN IOS 13 AND MACOS 10.15 DUE TO" SERVER CERTIFICATE VERIFICATION FAILED":
 
Requirements for trusted certificates in iOS 13 and macOS 10.15(Apple Documentation)
https://support.apple.com/en-in/HT210176
 
 
Is there any idea on how to create an self signed certificate on Palo Alto firewall that will be compactible with IOS 15 and 14 device certificate requirements ?
 
 
Thanks in advance!!

 

0 Likes Likes
2 REPLIES 2

Abdul-Fattah
L4 Transporter

‎10-27-2021 04:55 AM - edited ‎10-27-2021 04:55 AM

make sure your self-signed comply with this also:
https://support.apple.com/en-us/HT211025
you can make the self-signed root CA trusted under your IOS device settings: Settings > General > About > Certificate Trust Settings then enable full trust for that CA.

(1)

darrengayler
L0 Member

‎12-21-2021 10:54 AM

Ensure that the SSL cert has a SAN (Host Name in Certificate attributes) that matches the CN/FQDN.  Make sure the Cert follows Apple's req's, including the validity <=825 days.  Add the Root Certificate to the Apple device trust store (you can email yourself the root cert and open it on the iPhone to get it into your trust store via profiles).  Then Follow Abdul-Fattah's recommendation to trust the self-signed Root.

  • 6388 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks