An unexpected error occurred. Please click Reload to try again.
An unexpected error occurred. Please click Reload to try again.
SSL Certificate for IOS Devices - Knowledge Base - Palo Alto Networks

SSL Certificate for IOS Devices

Created On 09/25/18 19:49 PM - Last Modified 04/20/20 23:38 PM



IOS devices will present the SSL certificates only when they are verfied. When we use client certificate to connect GlobalProtect the device needs to have a verified certificate else you will not be able to connect. There could be instances were the same certificate used on a MAC, PC or Andriod device will be working but not in IOS devices.


The issued certificate can be a Selfsigned or an Internal/External CA. Regardless of the CA we will need to ensure that the complete certificate chain is made available in the IOS device.


Error 1.png    Error 2.png


The first and foremost thing to check on such an issue to ensure that the certificate profile in the IOS device is verified. You should be able to see a green check mark stating the certificate is verified and the complete chain is present.


1. Navigate to Settings--> General --> Profiles

2. The installed certificate will be showing a error Not verified status when selected. See below image for reference


Invalid Cert.png



3. Ensure you installed the complete chain to have the certificate, the simple way to do is to email the intermediate and root certificates to the device, these certificates does not require a private key, they can be installed with the public key, if you do not have intermediate you can skip that certificate, just the root and the actual certficate should do.


Cert Chain.png


4. Once you have the complete chain, the device will now be able to verify the certificate installed in it, and will present it to the GlobalProtect connection.


Valid Cert.png


 If running IOS 10.3 or later, please follow this additional step to trust the newly installed certificate.


If you want to turn on SSL trust for that certificate, go to Settings > General > About > Certificate Trust Settings. Under "Enable full trust for root certificates," turn on trust for the certificate.


Since that now you have all correct cerficate chain the GlobalProtect should be able to connect succesfully. Ensure that the certificate emailed to the device is in PKCS format as this is the most desirable format.




  • Print
  • Copy Link

Choose Language