SSL Certificate for IOS Devices

SSL Certificate for IOS Devices

68921
Created On 09/25/18 19:49 PM - Last Modified 04/20/20 23:38 PM


Symptom


Symptoms

IOS devices will present the SSL certificates only when they are verfied. When we use client certificate to connect GlobalProtect the device needs to have a verified certificate else you will not be able to connect. There could be instances were the same certificate used on a MAC, PC or Andriod device will be working but not in IOS devices.

 

The issued certificate can be a Selfsigned or an Internal/External CA. Regardless of the CA we will need to ensure that the complete certificate chain is made available in the IOS device.

 

Error 1.png    Error 2.png

Diagnosis

The first and foremost thing to check on such an issue to ensure that the certificate profile in the IOS device is verified. You should be able to see a green check mark stating the certificate is verified and the complete chain is present.

 

1. Navigate to Settings--> General --> Profiles

2. The installed certificate will be showing a error Not verified status when selected. See below image for reference

 

Invalid Cert.png

 

 

3. Ensure you installed the complete chain to have the certificate, the simple way to do is to email the intermediate and root certificates to the device, these certificates does not require a private key, they can be installed with the public key, if you do not have intermediate you can skip that certificate, just the root and the actual certficate should do.

 

Cert Chain.png

 

4. Once you have the complete chain, the device will now be able to verify the certificate installed in it, and will present it to the GlobalProtect connection.

 

Valid Cert.png

 

 If running IOS 10.3 or later, please follow this additional step to trust the newly installed certificate.

https://support.apple.com/en-us/HT204477

 

If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.

Resolution


Since that now you have all correct cerficate chain the GlobalProtect should be able to connect succesfully. Ensure that the certificate emailed to the device is in PKCS format as this is the most desirable format.

 

 

Connected.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClezCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language