Failed to connect to WINRM over https , Unable to get basic con... - Knowledge Base - Palo Alto Networks

Failed to connect to WINRM over https , Unable to get basic constraints

31938

Created On 06/14/22 02:18 AM - Last Modified 03/10/23 03:31 AM

Certificate Management

User-ID

PAN-OS

Symptom

WINRM server monitoring status shows not connected.
User id logs (less mp-log useridd.log) displays "Unable to get basic constraints" error

Error: pan_user_id_winrm_query(pan_user_id_win.c:2762): failed to connect to winrm server Error: pan_user_id_winrm_query(pan_user_id_win.c:2806): Connection failed. response code = 0, error: SSL peer certificate or SSH remote key was not OK in vsys 1 Error: pan_user_id_winrm_verify_cert_cb(pan_user_id_win.c:2922): Unable to get basic constraints

Environment

Any Palo Alto firewall.
Windows Remote Management (WinRM) Server

Cause

Server certificate used for WINRM Server is missing key extensions which is causing this issue
Basic constraints is a key extension of the server certificate.
'The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.'

Resolution

Reconfigure server certificate with basic constraint key extension and bind this certificate to WINRM server to resolve this issue.

Additional Information

Basic Constraints

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)