GlobalProtect fails to import Root CA certificate into Windows certificate store
30469
Created On 10/18/19 07:41 AM - Last Modified 04/20/24 02:22 AM
Symptom
- Root CA certificate(s) are added and Install in Local Root Certificate Store option is checked under Network > GlobalProtect Portal > Agent > Trusted Root CA
- After portal connection, Root CA certificate(s) should be imported into the Windows Local Trusted Root certificate store
- This procedure fails and the GlobalProtect app does not import them on the endpoint
Environment
- GlobalProtect App 5.0 & above
- GlobalProtect Portal
- Windows Client
Cause
- There is a change in the behavior where the GlobalProtect app skips importing the Root CA certificate(s) into WIndows Local Trusted Root certificate store
- This happens when the Portal server certificate cannot be verified by a Root CA certificate installed on the endpoint's certificate store
Resolution
- Due to security reasons, this behavior change was introduced from GlobalProtect app 5.0
- The first option to get around this failure is to pre-install Root CA certificate (signing the Portal server certificate) through Group Policy Push (GPO) or via Mobile Device Management (MDM) systems
- The second option is to have the Portal server certificate signed by third-party CA certificates that are pre-deployed on Windows systems
Additional Information
- The following error is seen when GlobalProtect skips the Root CA certificate import in the PanGPS.log (Refer to this link to collect GlobalProtect logs):
(P2984-T2704)Debug( 82): 09/24/21 00:38:03:396 Saved root CA(1034 bytes) into file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer. (P2984-T2704)Debug(9361): 09/24/21 00:38:03:396 Skip importing trusted root CA to store because portal's server certificate is not verified.
- When the Root CA certificate import is successful, following logs are generated in PanGPS.log:
(P2984-T2704)Debug( 82): 09/24/21 09:57:51:943 Saved root CA(1034 bytes) into file C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer. (P2984-T2704)Info (2707): 09/24/21 09:57:51:943 Imported root ca.
- The server certificate verification using Portal pushed certificates are present under the GlobalProtect app directory C:\Program Files\Palo Alto Networks\GlobalProtect\tca.cer
- Additionally, if there are multiple CA certificates in the Portal agent tab, all will be installed into the endpoint's Local Trusted Root certificate store based on the aforementioned successful verification. However if it fails, these certificates will be added to tca.cer only