- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-16-2025 08:52 AM
Guys,
I was finally able to confirm that split tunnel config file on a web server works, so I would like to share some tips with you.
This is an explanation for the link above.
Mutual TLS is under the same CA.
Initially, I used let's encrypt for the server certificate, but it doesn't provide a client certificate, so I used a client certificate that I created on local linux. This resulted in an error in PanGPS.log.(AdvancetST: downloaded content is not authenticated)
The engineers at paloalto helped me by giving me some useful links to understand mtls.
Just to add a little bit, this link does not include the SAN, and when you check the operation with the client's browser, you will get a server certificate error.
When creating a CSR and issuing a certificate, it was necessary to add a few commands to include the SAN. Like this.
openssl req -new -key server.key.pem -out server.csr -addext "subjectAltName = DNS:example.com"
openssl ca -config /root/mtls/openssl.cnf -extfile san.txt -days 1650 -notext -batch -in server.csr -out serve
r.cert.pem
san.txt contains subjectAltName = DNS:example.com
Any private key can be used to sign the file. It has nothing to do with mtls. Register the corresponding public key in Prisma Access.
Even after looking at the setup guide, I'm still confused as to which private key to use.
However, the palo engineer told me that ``anything is fine,'' and the problem became clear.
I'm looking forward to this, as it allows for more flexible route control than internal host detection.
01-25-2025 12:14 PM
If the CA name matches and it still needs SAN it is strange.
01-27-2025 05:03 AM
Hi Nikoolayy1,
Thank you for your reply.
Starting with Chrome 58, a certificate error will occur if you do not use SAN instead of common name.
I didn't like this error because I first tested it in a browser, but the GP agent may not care.
Please let me know if you can get the split tunnel config using only Common Name.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!