Palo Alto Networks Knowledgebase: How to Use a Wildcard SSL Cert with Subject Alternative Names for GlobalProtect Portal/Gateway.

How to Use a Wildcard SSL Cert with Subject Alternative Names for GlobalProtect Portal/Gateway.

17227
Created On 08/05/19 20:23 PM - Last Updated 08/05/19 20:36 PM
GlobalProtect Prisma Access
Resolution

Overview

This document describes how to use a wildcard (multi-domain) certificate with one common name and Subject Alternative Names (SAN) for other protected domains. The DNS names for GlobalProtect Portal and each GlobalProtect Gateway are assumed to be listed as SANs.

 

Steps

  1. Create a CA root certificate.
  2. Create a new certificate and have it signed by the above generated CA root certificate. This will be the wildcard certificate that will be used for the GlobalProtect Portal and Gateway. For example:
       Name: GP-Cert
       Common Name: *.example.com
       Subject Alternative Name:  DNS Name=vpn1.example.com,  DNS Name=vpn2.example.com
  3. Associate the hostnames for the GlobalProtect Portal and Gateway IP addresses. For example:
      GlobalProtect Portal IP address: vpn2.example.com
      GlobalProtect Gateway IP address: vpn1.example.com
    Note: If GlobalProtect Portal and Gateway share the same IP address (i.e. Palo Alto Networks firewall interface is configured as both portal and gateway), a single hostname can be used for the shared IP address. For this example, the portal and gateway hostname would be: vpn2.example.com.
  4. Import the certificates under the certificate cache of the GlobalProtect Portal firewall and each GlobalProtect Gateway firewalls (in a multi-gateway setup)
    • In PAN-OS 4.0 and 4.1, the certificates are located at Device > Certificates
    • In PAN-OS 5.0, the certificates are located at Device > Certificate Management > Certificates
  5. Single firewall deployment - Follow the portal configuration steps in GlobalProtect Configuration Tech Note, along with the steps below:
    • Use the GP-CERT (from step 2) as the server certificate under the portal configuration
    • Use the CA root certificate (from step 1) under the "trusted root CA" section of the "Client configuration"
    • Specify the external gateway address. For this example, the gateway is "vpn1.example.com"

For multi-gateway deployment, follow the gateway configuration steps in GlobalProtect Configuration Tech Note, and use the GP-CERT certificate (from step 2) under the server certificate section.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld8CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language