GlobalProtect connection fails with error message "A valid client certificate is required for authentication" due to expired CRL
5753
Created On 01/12/23 15:54 PM - Last Modified 05/29/24 20:06 PM
Symptom
GlobalProtect client connection to Portal/Gateway fails with the error "A valid client certificate is required for authentication"
Environment
- GlobalProtect (GP) App
- Client Certificate Authentication
Cause
- "Use CRL" is enabled on the certificate profile
- When the CRL is expired, system logs and sslmgr logs provide this information:
- system logs (show log system)
SSLMGR certificate crl verification failed.[807f7bc0] CRL status unknown: CRL has expired
- sslmgr logs (less mp-log sslmgr.log)
:06.764 +0000 CRL ('http://cdpweb/CertEnroll/RootCA.crl') expired, update cache entry.
:06.764 +0000 Error: pan_crls_is_revoked(pan_crl.c:1851): [CRL] CRL is expired for serial number[xxxxxxxxx00000017] and uri[http://cdpweb/CertEnroll/RootCA.crl]
- Debug command confirms the expired CRL as well
> debug sslmgr view crl http://cdpweb/CertEnroll/RootCA.crl
Current time is: Fri Dec 16 06:26:00 2022
Next update time is Jan 08 15:30:17 2023 GMT >>>> Next Update shows Expired
Count Serial Number Revocation Date
------- ---------------------------------------- ------------------------
[1 ] abcdefg Jun 24 22:35:00 2014 GMT
[2 ] hijklmn Jun 24 21:28:00 2014 GMT
[3 ] opqrstu Oct 24 20:10:00 2017 GMT
Note: "Next Update" is the date and time that an Operating System client (Ex: Windows, MacOS) considers as the expiration date of the CRL. If this date passes, the operating systems will invalidate certificates that are checked against this CRL
Resolution
- The issue has to be resolved by updating the client certificate information on the CRL server and client having the renewed client certificate
- As a workaround, uncheck "Use CRL" option from the certificate profile