08-29-2023 06:43 AM
Digicert isn't going to sell you a subordinate CA certificate that is actually trusted by the default root and intermediate certificates, if they did they'd quickly become an untrusted certificate authority like Symantec. They'd essentially be selling certificates with the ability to MITM every single major operating system and browser used by normal individuals.
I think you may have purchased a dedicated intermediate from Digicert, and in the process of using it for this massively violated ToS of the product. In the event that this was what you did, then the behavior is actually expected
behavior with how you would have been using the certificate.
I'd highly recommend getting an actual SubCA certificate generated if you have your own in-house PKI system so that your clients automatically trust the generated certificates. If you don't have your own PKI system, just generate a certificate on the firewall and feed it out to all connected clients. This can be done through GPO and most MDMs.
In the event that you don't have Group Policy to fall back on and you don't have an MDM, you can actually get the certificate deployed through GlobalProtect upon connection easily. Under your Portal Agent configurations add the certificate as a 'Trusted Root CA' and ensure that you have the box checked for 'INSTALL IN LOCAL ROOT CERTIFICATE STORE'. Anyone connecting to GlobalProtect will now have those certificates installed automatically the next time they connect.
