![globalprotect server certificate is invalid globalprotect server certificate is invalid](https://www.venafi.com/sites/default/files/content/blog/2018-11/1_7.jpg)
I'm not against configuring a special certificate template on our internal CA in order to add additional capabilities to a cert for use by the PAN NGFW for the purpose of GP Portal/Gateway server configuration, but I want to know what capabilities are required. It has the following Enhanced Key Usage attributes: Server Authentication (1.3.6.1.5.5.7.3.1).Ĭlearly, my internal-CA-signed certificate is configured to be allowed for a more limited set of uses and capabilities that the self-signed certificate generated by the PAN NGFW itself. My internal-CA-signed certificate has the following Key Usage attributes: Digital Signature, Key Encipherment (a0).
![globalprotect server certificate is invalid globalprotect server certificate is invalid](https://i.ytimg.com/vi/BaMu7PhP6SM/maxresdefault.jpg)
It has the following attributes on the Enhanced Key Usage property: Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2), and IP security end system (1.3.6.1.5.5.7.3.5). The self signed certificate has the following attibutes on the Key Usage property: Digital Signature, Key Encipherment, Data Encipherment, and Key Agreement (b8). My assumption is that it has something to do with the marked capabilities of the internal-CA-signed certificate vs. When I visit the GP Portal web page, the web browser shows the Portal's server certificate as trusted I do not see any sort of certificate warning (which I do when I use the self-signed certificate instead). The internal CA's root certificate is already marked as a trusted root CA certificate on the PAN NGFWs as well as all of our workstations and servers, including the client machine I am testing with. I used a certificate template that we use for web servers. Regarding the internal CA-signed certificate. We do not have any sort of client certificate authentication configured. * This is the name of the external gateway configured in the GP Portal on the Agent tab, not the name of the GP Gateway on the Gateways section of the Network | GlobalProtect setup. "Gateway : The server certificate is invalid. It seems to indicate in the 'Use Simple Certificate Enrollment Protocol (SCEP) to request a server certificate from your enterprise CA' section that the only attributes required are Key Encipherment and Digital Signature, both of which my internal-CA-signed certificate have. I have successfully configured GP so that I am able to connect when using a self-signed certificate in the SSL/TLS Service Profile used on both the GP Portal and Gateway configuration however, when I try to switch the SSL/TLS Service Profile in use to one that uses a certificate signed by our trusted internal certificate authority, I recieve the following error after authenticating: BTW, I came across the following document about Deploy Server Certificates to the GlobalProtect Components. I am working with a GP client version 4.0.5. Click “Next”Īnother root cause of the 403.I am trying to configure GlobalProtect (hereafter: "GP") TLS VPN on a PA-3050 running PAN-OS 8.0.6-h3. Type the location of the certification authority’s root certificate.On the “Certificate Import Wizard” window, click “Next”.Go to “ Certificates > Trusted Root Certification Authorities > right-click Certificates > All Tasks > Import“.Click “Finish”, “Close”, and “OK” in the given order From “ Available snap-ins” list, click “ Certificates“.In IIS server, click Start, type “ mmc.exe“.We solved the issue by adding the certificate following the steps below. In the case I worked on, the issue was the missing root certificate in IIS server. If you see 16 as a sub-status code, it means the underlying reason is that “ Client certificate is untrusted or invalid” ( Reference). Check Failed Request Logs and IIS logs to get more details about the issue. 403 error specifically translates to “ Forbidden“. Browsers show 4xx errors when there is a client side issue while browsing a website.