SSL Global Protect Certificate authentication checklist
10092
Created On 04/13/19 07:09 AM - Last Modified 09/29/20 00:20 AM
Objective
In this articles we will discuss checklist when doing client certificate authentication.
Environment
- Pan-OS
- Global Protect
Procedure
Certificate Chain:
Root -> INTERCA1 ->INTERCA2 -> Server certificate
Root -> INTERCA1 ->INTERCA2 -> Client wildcard certificate
1- Confirm that certificate profile include [ Root , INTERCA1 and INTERCA2 ]
2- Confirm that SSL profile for Portal& Gateway has Server Certificate
3- Confirm that setting Network > GlobalProtect > Portals > [Portal] > Agent > App > Client Certificate Store Lookup is set to User and Machine
Note:
- User then client certificate should be imported in User account personal certificate store.
- Machine client certificate should be installed in Compute account personal certificate store.
- User and Machine client certificate can be installed in any (Computer or User) personal certificate store
4- Confirm that the Client wildcard certificate is imported to client personal repositories with private key // [Export from firewall Encrypted Private Key and Certificate (PKCS12) and import it to client]