I am trying to configure GlobalProtect (hereafter: "GP") TLS VPN on a PA-3050 running PAN-OS 8.0.6-h3. I am working with a GP client version 4.0.5.
I have successfully configured GP so that I am able to connect when using a self-signed certificate in the SSL/TLS Service Profile used on both the GP Portal and Gateway configuration; however, when I try to switch the SSL/TLS Service Profile in use to one that uses a certificate signed by our trusted internal certificate authority, I recieve the following error after authenticating:
"Gateway <external gateway name*>: The server certificate is invalid. Please contact your IT administrator."
* This is the name of the external gateway configured in the GP Portal on the Agent tab, not the name of the GP Gateway on the Gateways section of the Network | GlobalProtect setup.
We do not have any sort of client certificate authentication configured.
Regarding the internal CA-signed certificate... I used a certificate template that we use for web servers. The internal CA's root certificate is already marked as a trusted root CA certificate on the PAN NGFWs as well as all of our workstations and servers, including the client machine I am testing with. When I visit the GP Portal web page, the web browser shows the Portal's server certificate as trusted; I do not see any sort of certificate warning (which I do when I use the self-signed certificate instead).
My assumption is that it has something to do with the marked capabilities of the internal-CA-signed certificate vs. the self-signed certificate.
The self signed certificate has the following attibutes on the Key Usage property: Digital Signature, Key Encipherment, Data Encipherment, and Key Agreement (b8). It has the following attributes on the Enhanced Key Usage property: Server Authentication (220.127.116.11.18.104.22.168.1), Client Authentication (22.214.171.124.126.96.36.199.2), and IP security end system (188.8.131.52.184.108.40.206.5).
My internal-CA-signed certificate has the following Key Usage attributes: Digital Signature, Key Encipherment (a0). It has the following Enhanced Key Usage attributes: Server Authentication (220.127.116.11.18.104.22.168.1).
Clearly, my internal-CA-signed certificate is configured to be allowed for a more limited set of uses and capabilities that the self-signed certificate generated by the PAN NGFW itself. I'm not against configuring a special certificate template on our internal CA in order to add additional capabilities to a cert for use by the PAN NGFW for the purpose of GP Portal/Gateway server configuration, but I want to know what capabilities are required.
Or, if there is something else I should check, please let me know.