GlobalProtect failed to connect - required client certificate is not found

GlobalProtect failed to connect - required client certificate is not found

Created On 09/26/18 13:47 PM - Last Modified 05/09/23 16:39 PM



You have configured your portal and gateway to use the authentication profile and certificate profile 2 factor authentication, but you see the below error message in the status page of the GlobalProtect client when try to connect the GlobalProtect on the client computer:

"Required Client Certificate is not found"


You may also see this error message in the PanGP Service Log:

Debug(3624): Failed to pre-login to the portal XX.XX.XX.XX. Error 0

Debug(1594): close WinHttp close handle.

Debug(3588): prelogin status is Error

Error(3591): pre-login error message: Valid client certificate is required

Debug(1594): close WinHttp close handle.

Debug(4213): portal status is Client Cert Required.

Debug(3697): Portal required client certificate is not found.


  • Palo Alto Networks Firewall
  • GlobalProtect Infrastructure


  • These errors occurs because there is no correct/valid certificate found on the client's computer.


You have 3 options when implementing certificate-based client authentication for your GlobalProtect environment.

  1. Shared client certificates - each endpoint uses the same certificate to authenticate; it can be locally generated or imported from trusted CA. Please note that this certificate would be installed in the user certificate store only. Machine certificates (that need to be imported in machine certificates store) cannot be pushed from portal. 
  2. Unique client certificates - requires either the implementation of a SCEP server on your network or use of an internal PKI to deploy them individually to each machine through GPO or using other device management systems
  3. Machine certificates - used with the Pre-Logon connect method to authenticate the device rather than the user 
  4. Certificate selection based on OID - a specific object identifier (OID) can be used to identify the certificate to be used.

The certificate imported to the client machine(s) may or may not be signed the same root CA which signed the 'Server Certificate' in the Portal/Gateway settings. However, please ensure the appliance has the full CA certificate chain of trust imported on the user's machine: i.e Root + Intermediate (if applicable) CAs.

Note: The client certificate will be indented under the root CA when viewing from the Device > Certificates in the GUI.

In cases of self-signed certificates, the certificate will need to be imported to the trusted root CA.

For instructions for how to:

Additional Information

For additional documentation regarding certificates and their use within the GlobalProtect environment, please refer to the following documents:

How Does the App Know Which Certificate to Supply?

Set Up Client Certificate Authentication

  • Print
  • Copy Link

Choose Language