10-11-2023 09:28 PM
Dear Team,
Among models using Android 13, kernel 5.4 or 5.15, a certificate error appears to occur when connecting to the GP.
I confirmed with TAC that I need to use version 3 certificate.
However, many customers are using Paloalto's own CA certificate.
Is there a way to create a v3 certificate in Paloalto?
11-15-2023 06:01 PM
Previously, customers could use GP with only a root certificate.
However, due to the latest security patch in Android, GlobalProtect can no longer be used as a root certificate.
So please refer to the information below:
- Symptom: Unable to access GP on some Android 13 models
- Cause: It is expected that certificate-related security policies have been strengthened and changed on the Android side.
- Solution: When creating a Paloalto certificate, separate the root cert and server cert according to the recommended guide.
> Related URL: Certificate config for GlobalProtect - (SSL/TLS, Client cert pr... - Knowledge Base - Palo Alto Netw...
10-11-2023 10:31 PM
I believe default setting is to generate v3 certificate.
Here is my test result with PAN-OS 9.1.12
After export this cert, check with openssl command:
====
user@dom:~$ openssl x509 -text -noout -in ./cert_testcert.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3359397260 (0xc83c558c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = testca
Validity
Not Before: Oct 12 05:21:15 2023 GMT
Not After : Oct 11 05:21:15 2024 GMT
Subject: CN = testcert.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9d:a6:2c:d8:de:f8:2d:4f:5f:f0:cc:3f:0c:da:
0f:7d:25:fa:03:1b:8c:6e:bd:59:52:9d:24:44:86:
57:fb:d7:f7:b1:cc:21:44:be:d5:cc:80:fd:4e:e4:
ca:01:3e:dd:c6:f1:18:8e:46:a2:d7:22:6d:93:35:
..snip..
====
10-12-2023 12:29 AM
@emr_1 Thank you for your reply
A number of customers are experiencing the symptom now, and i have checked the certificate based on the information you provided.
All certificates verified as version3.
Therefore, I believe there is another cause for this problem.
If there is any further confirmation, I will update this ticket.
11-15-2023 06:01 PM
Previously, customers could use GP with only a root certificate.
However, due to the latest security patch in Android, GlobalProtect can no longer be used as a root certificate.
So please refer to the information below:
- Symptom: Unable to access GP on some Android 13 models
- Cause: It is expected that certificate-related security policies have been strengthened and changed on the Android side.
- Solution: When creating a Paloalto certificate, separate the root cert and server cert according to the recommended guide.
> Related URL: Certificate config for GlobalProtect - (SSL/TLS, Client cert pr... - Knowledge Base - Palo Alto Netw...
05-13-2024 11:42 PM
Hello @KyungjunCHOE
On android device should we upload the certificate as well to work?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
