01-14-2016 05:45 PM
This is on a PA-3020 running PAN-OS 7.0.4.
I've always manually chained certificates when installed an SSL certificate for Global Protect. I decided to see if I could install the SSL certificate and the Intermediate certificates separately and see if it would work. I configured Global Protect Portal > Agent Configuration > Trusted Root CA with the GoDaddy G2_G1 certificate provided by GoDaddy.
When I log into Global Protect, I do not get the 'untrusted certificate' error. However, when I check Keychain on my Mac, it only shows the client certificate installed, not the GoDaddy intermediate, and the certificate is labeled as 'signed by unknow authority'.
My questions:
1. Does the Global Protect client just check the Trusted Root CA but not push the certificate down to the client?
2. Is it still recommended to manually create the certificate chain or use this method?
The reason I'm trying not to chain them is because the client wants his SSL certificate to update via OCSP and it just doesn't do that if it's manually chained.
Thanks.
