05-13-2024 08:56 AM
We're migrating to a new PKI, the Issuing servers are signed by the root and all (3) certificates (Root, Issuing 1 & Issuing 2) are being pushed to the iOS devices via Workspace One. The config is more or less identical to the original PKI (the old PKI was using an 'Interim' Root which is now not being used, although I have pushed that down as I'm hitting a brick wall). The only difference is the new PKI is configured to issue user certs that are sha-512 (the previous is sha-256).
The client provides the error;
GlobalProtect service started (client version: 6.1.0-84, OS version: Apple iOS 16.7.5).
[Error]: A valid client certificate is required for authentication. If the issue persists, contact your administrator.
The full chain is being installed on the device, the user cert gets installed in the keychain/cert store but for some reason it's just not trusting it, the iOS device logs show the following error:
trustd[429] <Notice>: cert[0]: MissingIntermediate =(leaf)[force]> 0
The two issuing / intermediate certs are installed on the device, so I'm really confused as to why it's not connecting.
The PAN GPS logs show:
P 591-T20739 02/05/2024 21:28:18:857 Info ( 891): Couldn't find any matching identities. Trying to continue without client cert
P 591-T6147 02/05/2024 21:28:18:940 Info ( 565): Finished with PORTAL ADDRESS
P 591-T6147 02/05/2024 21:28:18:940 Debug( 505): Client cert error detail is Client cert usage check failed
P 591-T6147 02/05/2024 21:28:18:941 Debug( 517): error detail is Client cert usage check failed
P 591-T6147 02/05/2024 21:28:18:946 Debug( 396): Received data with length 539
P 591-T6147 02/05/2024 21:28:18:946 Debug( 421): m_errorDetails is Client cert usage check failed.
Any, ANY help would really be appreciated here please
05-14-2024 02:25 AM
Hi @gsjltd1921x ,
Make sure that you deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
Hope this helps,
-Kim.
05-14-2024 04:42 AM
Hi Kim, the client/user cert gets generated in the request and is pushed down to the device via the MDM profile, I can see the user cert is installed in the keychain (in the same way as the old PKI does), I believe the same CA template is used so everything looks to be matching
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
