How to Install a Client Certificate for Global Protect on a Linux Machine (Ubuntu)
68885
Created On 04/02/19 04:11 AM - Last Modified 09/04/23 17:54 PM
Objective
Client trying to install a client certificate on a Linux Machine.
Environment
- PAN-OS 7.1 and above
- Palo Alto Firewall.
- Any Supported Linux Client running Global Protect 4.1.x or 5.0.x.
Procedure
- Install Global Protect Agent on the Linux Machine Refer this Link.
- Download or Copy the certificate to the Linux machine using Ftp or Scp.
- Run the following command to install the certificate.
SA@ubuntu:$ globalprotect import-certificate --location /home/skhan/Desktop/cert_Win7-SOS.p12
Please input passcode:
Import certificate is successful.
Note: In the above command /home/skhan/Desktop is the path to the certificate. Modify it to suit your environment.
- Once the certificate is imported, verify the certificate is installed in the globalprotect directory of /opt/paloaltonetworks/globalprotect. In the example below, the certificates pan_client_cert_passcode.dat and pan_client_cert.pfx are installed.
skhan@ubuntu:/opt/paloaltonetworks/globalprotect$ ls -lah
total 12M
drwxr-xr-x 3 root root 4.0K Apr 1 17:13 .
drwxr-xr-x 3 root root 4.0K Sep 21 2018 ..
-rwxr-xr-x 1 speech-dispatcher uuidd 3.2M Mar 26 15:43 globalprotect
-rw-r--r-- 1 speech-dispatcher uuidd 1.1K Mar 26 15:43 gpd
-rw-r--r-- 1 speech-dispatcher uuidd 386 Mar 26 15:43 gpd.service
-rwxr-xr-x 1 speech-dispatcher uuidd 415 Mar 26 15:43 gpshow.sh
-rwxr-xr-x 1 speech-dispatcher uuidd 1.6K Mar 26 15:43 gp_support.sh
-rw-r--r-- 1 root root 864 Apr 1 17:13 HipPolicy.dat
-rw-r--r-- 1 root root 471 Apr 1 17:09 install.log
drwxr-xr-x 3 root root 4.0K Apr 1 17:13 network
-rw-r--r-- 1 root root 16 Apr 1 17:12 pan_client_cert_passcode.dat
-rw-r--r-- 1 root root 2.4K Apr 1 17:12 pan_client_cert.pfx
-rwxr-xr-x 1 speech-dispatcher uuidd 3.3M Mar 26 15:43 PanGPA
-rwxr-xr-x 1 speech-dispatcher uuidd 3.9M Mar 26 15:43 PanGPS
-rw-r--r-- 1 root root 924K Apr 1 21:03 PanGPS.log
-rw-r--r-- 1 speech-dispatcher uuidd 2.7K Apr 1 17:19 pangps.xml
-rwxr-xr-x 1 speech-dispatcher uuidd 181 Mar 26 15:43 PanMSInit.sh
-rwxr-xr-x 1 speech-dispatcher uuidd 118 Mar 26 15:43 pre_exec_gps.sh
-rw-r--r-- 1 root root 2.3K Apr 1 17:13 tca.cer
skhan@ubuntu:/opt/paloaltonetworks/globalprotect$
- Connect using pre-logon or user logon with the client certificate, the following logs will be seen in PanGPS.log. This confirms the certificates installed are working correctly.
P4022-T1047267072 Apr 01 21:08:48:990799 Debug( 160): Linux::GetHttpResponse serverIp=10.46.162.193
P4022-T1047267072 Apr 01 21:08:48:990907 Debug( 599): File /opt/paloaltonetworks/globalprotect/cc.pfx does not exist.
P4022-T1047267072 Apr 01 21:08:48:990913 Debug( 595): File /opt/paloaltonetworks/globalprotect/pan_client_cert.pfx exists.
P4022-T1047267072 Apr 01 21:08:48:990917 Debug( 595): File /opt/paloaltonetworks/globalprotect/pan_client_cert_passcode.dat exists.
P4022-T1047267072 Apr 01 21:08:48:994539 Debug(1174): not before=190326234539Z, not after=200325234539Z
P4022-T1047267072 Apr 01 21:08:48:994558 Debug(1181): cTime=190402040848
P4022-T1047267072 Apr 01 21:08:48:994561 Debug(1187): pkcs12 cert expired = 0
P4022-T1047267072 Apr 01 21:08:48:997781 Debug( 259): certIssuer=/CN=SOS-CA
P4022-T1047267072 Apr 01 21:08:48:997789 Debug( 769): SSL connecting to 10.46.162.193
Additional Information
1. Client Certificate installation/import through the GP portal with SCEP option is not supported on Linux Machines. It is supported only on Windows and MAC devices.
2. Client certificate installation/import on Linux machines should be done through CLI as per the above article.