In my previous post I covered recovering a downed CA, cause it will be needed for this section of the GlobalProtect tutorial.
Step 1) Importing the CA Certs
We need to add all the CA certs that are involved in completing the chain, so this includes, the Offline-Root-Ca, as well as the Sub Ca.
Adding the Sub CA cert:
Device -> Certs -> Import -> Base64 cer file
Step 2) Generating a CSR
Generate a a Sub CA Key for the PA to handle the Gateway certs, afterwards generate a Gateway certificate as well.
export the CSR, for some reason the latest Chrome causes a constant refresh, argggg had to export the CSR via IE, gross….
Navigate to your CA’s signing Web page (the Sub CA in this case), open the CSR in notepad and paste the results, and select Sub CA for the template:
Then save as Base64 type cert, and import back into the PA firewall, if successful will look like this:
Also import Offline-root-ca cert to complete the chain
Step 3) Certificate Profiles
Alright time for Certificate Profiles
Add all the Certs
Step 4) SSL/TLS Profiles
Create a SSL/TLS Profile:
Name it whatever, pick TLS 1.2 as min and max, and select the PA Sub CA we created earlier.
Step 5) Create User Certificate
Step 5.1) Create Template on CA
Then under Cert Templates, right click it, and duplicate
5 Years, i don’t like doing this often
Signature and encryption, check off include symmetric allowed by subject, min key size of 2048 and key is exportable
Along with the default, check off MS RSA and AES, and RSA SChannel
Subject Name, Supply in the Request, it will complain about the security risk, accept them. (Normally you’d create the certificates at the client machines, but in this case I am doint it the “wrong way” by having a global user certificate)
If you require additional permissions apply them now, by default domain admins have full control, and domain users have enroll rights.
Step 5.2) Generate User CSR
With the Template configured, lets create the User Cert for the VPN, in this case we generate the CSR on the PA, but since we made the key exportable, we can export the certificate with key to be installed on the end device (instead of the CSR being generated on the device and then signed, and the public key being installed on the portal, which is the right way… hopefully I can get that, but the toughest part is generating certificates on phones, have to learn each devices OS on how to do it)
On the PA Device, Certs, Generate
*NOTE* I noticed that with the latest Chrome that when you attempt to export any certificate it just seems to refresh the page, sadly the only work around I have is to use IE… Ugh….
Open the CSR in Notepad, navigate to your Sub CA’s certificate signing page, sign the certificate.
*Secrete enable remote management on IIS Core*
lol, I was wondering why i couldn’t see my Template in the web interface, so I looked up my own very old blog post (3rd one I believe) and I realized I forgot to publish it, like I did the Authentication Session Template. Durrrr, then it kept complaining about https for cert destro (makes sense) but since I had a core subca, I couldn’t connect to the IIS remotely, then I found this, saved my bacon, and followed this to enable HTTPS, Then finally…
then Import it on to the Firewall,
it should look like this
In the next section I’ll cover configuring the Portal and Gateway settings. 😀