Why GlobalProtect fails to import new Root CA certificates into Windows device certificate store?

• GlobalProtect Portal configuration (Network > GlobalProtect Portal > Agent > Trusted Root CA)  includes GP_CA_CERT Root CA signing portal server certificate
• GP_CA_CERT Root CA is already installed in the device certificate store
• SELF_SIGNED Root CA has been added to portal agent tab with Install in Local Root Certificate Store option checked
• Once the portal server certificate verification is successful, GlobalProtect apps fails to import SELF_SIGNED Root CA into the device certificate store

• GlobalProtect App 5.0 & above
• Windows Client

Below is a brief explanation on why it fails when you wish to add a new Root CA using the GlobalProtect app:

1. During portal server certificate verification, GlobalProtect app validates it first with the tca.cer and if this verification fails, then it validates with the device certificate store
2. Since the GlobalProtect app validates the portal server certificate using the tca.cer (containing Root CA signing portal server certificate from previous portal connection), it skips the import of the Root CA certificate in the GlobalProtect Portal agent tab as it is not verified using the Root CA present in the device certificate store

1. Delete the tca.cer under C:\Program Files\Palo Alto Networks\GlobalProtect manually from the endpoint and then, refresh the Portal connection
2. Remove GP_CA_CERT Root CA from the GlobalProtect Portal agent tab and then, refresh the Portal connection twice. This will cause the tca.cer to have only the SELF_SIGNED Root CA on first Portal connection and hence, the Portal server certificate verification will happen using GP_CA_CERT Root CA installed in the device certificate store on the second Portal connection to import SELF_SIGNED Root CA

tca.cer is the file created during portal connection and has the Root CA certificate(s) referenced in the portal agent configuration