How to Implement SSL Certificates on iOS Devices for GlobalProtect Authentication
Symptom
iOS devices require SSL certificates to be verified before they can be presented. If the client certificate used for GlobalProtect is not properly verified, the connection will not succeed. This can lead to situations where a certificate works on macOS, Windows, or Android, but not on iOS. The issued certificate can be self-signed or signed by an internal or external Certificate Authority (CA). Regardless of the issuing CA, it is essential to ensure that a complete certificate chain is available on IOS device.
Environment
- GlobalProtect App
- Apple iOS devices
- Client Certificate Authentication
Resolution
The primary step in diagnosing this problem is to confirm that the certificate profile on the iOS device is verified. A green check mark should indicate that the certificate is valid and the entire certificate chain is correctly installed.
1. Navigate to Settings > General > Profiles
2. The installed certificate will be showing a error Not verified status when selected. See below image for reference
3. Ensure that the complete certificate chain is installed on the device. A simple way to do this is by emailing the intermediate and root certificates to the iOS device. These certificates do not require a private key. If the intermediate certificate is not available, you may skip it.
4. Once the complete certificate chain is installed, the device will be able to verify the client certificate and present it during the GlobalProtect connection.
If you're running iOS 10.3 or later, please follow this additional step to manually trust the newly installed certificate.
https://support.apple.com/en-us/HT204477
To trust the certificate for SSL connections, go to Settings > General > About > Certificate Trust Settings, and enable trust under the 'Enable Full Trust for Root Certificates' section.