Palo Alto Networks Knowledgebase: Error Connecting to GlobalProtect Portal: sec_error_bad_signature

Error Connecting to GlobalProtect Portal: sec_error_bad_signature

6188
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Issue

After configuring GlobalProtect Gateway and Portal, the following errors occur when connecting to Portal from a browser:

  • On Mozilla Firefox:
    Error code: sec_error_bad_signature
  • On Google Chrome:
    You attempted to reach <portal Address>, but the server presented an invalid certificate

 

Cause

This issue can occur if the 'Common Name' (subject) of the root certificate used to sign the GlobalProtect server certificate is the same as the GlobalProtect certificate. The example below shows a certificate, GlobalProtectServerCert, that is signed by GlobalProtectRoot. However, both certificates show up on the same level. Note that the 'Common Name' is the same for both.

 

Resolution

To resolve the issue, create a new root and server certificate pair for the GlobalProtect Gateway and Portal ,and make sure to assign a unique Common Name (Subject) to the root certificate. For example:

 

The display should correctly show the GlobalProtectServerCert nested within the root certificate. Assign the GlobalProtectServerCert to your GlobalProtect Gateway\Portal to complete the configuration.

 

owner: jteetsel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsECAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language