GlobalProtect version 3 certificate

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect version 3 certificate

L2 Linker

Dear Team, 

 

Among models using Android 13, kernel 5.4 or 5.15, a certificate error appears to occur when connecting to the GP.

 

I confirmed with TAC that I need to use version 3 certificate.

 

However, many customers are using Paloalto's own CA certificate.

 

Is there a way to create a v3 certificate in Paloalto?

1 accepted solution

Accepted Solutions

L2 Linker

Previously, customers could use GP with only a root certificate.

 

However, due to the latest security patch in Android, GlobalProtect can no longer be used as a root certificate.

So please refer to the information below:

 

- Symptom: Unable to access GP on some Android 13 models

- Cause: It is expected that certificate-related security policies have been strengthened and changed on the Android side.

- Solution: When creating a Paloalto certificate, separate the root cert and server cert according to the recommended guide.

> Related URL: Certificate config for GlobalProtect - (SSL/TLS, Client cert pr... - Knowledge Base - Palo Alto Netw...

View solution in original post

3 REPLIES 3

L5 Sessionator

I believe default setting is to generate v3 certificate.

Here is my test result with PAN-OS 9.1.12

 

Image 001.png

 

After export this cert, check with openssl command:

====

user@dom:~$ openssl x509 -text -noout -in ./cert_testcert.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3359397260 (0xc83c558c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = testca
Validity
Not Before: Oct 12 05:21:15 2023 GMT
Not After : Oct 11 05:21:15 2024 GMT
Subject: CN = testcert.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:a6:2c:d8:de:f8:2d:4f:5f:f0:cc:3f:0c:da:
0f:7d:25:fa:03:1b:8c:6e:bd:59:52:9d:24:44:86:
57:fb:d7:f7:b1:cc:21:44:be:d5:cc:80:fd:4e:e4:
ca:01:3e:dd:c6:f1:18:8e:46:a2:d7:22:6d:93:35:

..snip..

====

L2 Linker

@emr_1 Thank you for your reply

 

A number of customers are experiencing the symptom now, and i have checked the certificate based on the information you provided.

 

All certificates verified as version3.

 

Therefore, I believe there is another cause for this problem.

 

If there is any further confirmation, I will update this ticket.

L2 Linker

Previously, customers could use GP with only a root certificate.

 

However, due to the latest security patch in Android, GlobalProtect can no longer be used as a root certificate.

So please refer to the information below:

 

- Symptom: Unable to access GP on some Android 13 models

- Cause: It is expected that certificate-related security policies have been strengthened and changed on the Android side.

- Solution: When creating a Paloalto certificate, separate the root cert and server cert according to the recommended guide.

> Related URL: Certificate config for GlobalProtect - (SSL/TLS, Client cert pr... - Knowledge Base - Palo Alto Netw...

  • 1 accepted solution
  • 1111 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!