How to Use a Wildcard SSL Cert with Subject Alternative Names for GlobalProtect Portal/Gateway

How to Use a Wildcard SSL Cert with Subject Alternative Names for GlobalProtect Portal/Gateway

61757
Created On 09/25/18 19:47 PM - Last Modified 04/15/21 18:44 PM


Environment
  •  Palo Alto Networks Firewall (physical or virtual)


Resolution

This document describes how to use a wildcard (multi-domain) certificate with one common name and Subject Alternative Names (SAN) for other protected domains. The DNS names for GlobalProtect Portal and each GlobalProtect Gateway are assumed to be listed as SANs.

  1. Create a CA root certificate by navigating to Device > Certificate Management > Certificates and selecting Add
Note: Ensure the checkbox next to "Certificate Authority" is selected to confirm it's a CA certificate

Snapshot displaying the Generate Certificate dialog box with the Certificate Authority checkbox selected
  1. Create a new leaf certificate by specifying the proper parameters, ensure it's signed by the above generated CA root certificate, and select Generate. This will be the wildcard certificate used for the GlobalProtect Portal and Gateway. For example:
       Name: GP-Cert
       Common Name: *.example.com
       Subject Alternative Name:  DNS Name=vpn1.example.com,  DNS Name=vpn2.example.com
Snapshot displaying the creation of a new leaf certificate within PAN-OS

Note: If GlobalProtect Portal and Gateway share the same IP address (i.e. Palo Alto Networks firewall interface is configured as both portal and gateway), a single hostname can be used for the shared IP address. For this example, the portal and gateway hostname would be: vpn2.example.com.
  1.  (Optional) If needed, you can import the certificates under the certificate cache of the GlobalProtect Portal firewall and each GlobalProtect Gateway firewalls (in a multi-gateway setup) by navigating to Device > Certificate Management > Certificates >  and selecting Import
  2.  Apply the server certificate to the proper SSL/TLS Service Profile by navigating to Device > Certificate Management > SSL/TLS Service Profile > and selecting the proper profile. Then choose the newly created server certificate from the dropdown menu as shown below and choose OK:
Snapshot displaying the SSL/TLS Service Profile dialog box

 

  1.  Commit your changes and confirm you're able to successfully connect


Additional Information


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000Cld8&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments
Choose Language