In my previous post I covered recovering a downed CA, cause it will be needed for this section of the GlobalProtect tutorial.<\/p>\n
<\/span>Step 1) Importing the CA Certs<\/span><\/h2>\nWe need to add all the CA certs that are involved in completing the chain, so this includes, the Offline-Root-Ca, as well as the Sub Ca.<\/p>\n
Adding the Sub CA cert:<\/p>\n
Device -> Certs -> Import -> Base64 cer file<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/HsLYDTy.png\")
<\/a><\/p>\n<\/span>Step 2) Generating a CSR<\/span><\/h2>\nGenerate a a Sub CA Key for the PA to handle the Gateway certs, afterwards generate a Gateway certificate as well.<\/p>\n
Click generate:<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/t2njg9P.png\")
<\/a><\/p>\nClick Generate<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/IUMocdw.png\")
<\/a><\/p>\nexport the CSR, for some reason the latest Chrome causes a constant refresh, argggg had to export the CSR via IE, gross….<\/p>\n
Navigate to your CA’s signing Web page (the Sub CA in this case), open the CSR in notepad and paste the results, and select Sub CA for the template:<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/z6YPJZ3.png\")
<\/a><\/p>\nThen save as Base64 type cert, and import back into the PA firewall, if successful will look like this:<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/Lg0V4QZ.png\")
<\/a><\/p>\nAlso import Offline-root-ca cert to complete the chain<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/h5txYSh.png\")
<\/a><\/p>\n<\/span>Step 3) Certificate Profiles<\/span><\/h2>\nAlright time for Certificate Profiles<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/99NKymb.png\")
<\/a><\/p>\nAdd all the Certs<\/p>\n
<\/span>Step 4) SSL\/TLS Profiles<\/span><\/h2>\nCreate a SSL\/TLS Profile:<\/p>\n
Name it whatever, pick TLS 1.2 as min and max, and select the PA Sub CA we created earlier.<\/p>\n
<\/span>Step 5) Create User Certificate<\/span><\/h2>\n<\/span>Step 5.1) Create Template on CA<\/span><\/h3>\n![\"\"](\"https:\/\/i.imgur.com\/Z63ewoD.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/i.imgur.com\/QorsRU8.png\")
<\/a><\/p>\nThen under Cert Templates, right click it, and duplicate<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/Fr38e1i.png\")
<\/a><\/p>\n5 Years, i don’t like doing this often<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/ZphfGow.png\")
<\/a><\/p>\nSignature and encryption, check off include symmetric allowed by subject, min key size of 2048 and key is exportable<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/iMo88Pa.png\")
<\/a><\/p>\nAlong with the default, check off MS RSA and AES, and RSA SChannel<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/wt89vLA.png\")
<\/a><\/p>\nSubject Name, Supply in the Request, it will complain about the security risk, accept them. (Normally you’d create the certificates at the client machines, but in this case I am doint it the “wrong way” by having a global user certificate)<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/EIajHo3.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/i.imgur.com\/zheAsHg.png\")
<\/a><\/p>\nClick Apply.<\/p>\n
If you require additional permissions apply them now, by default domain admins have full control, and domain users have enroll rights.<\/p>\n
<\/span>Step 5.2) Generate User CSR<\/span><\/h3>\nWith the Template configured, lets create the User Cert for the VPN, in this case we generate the CSR on the PA, but since we made the key exportable, we can export the certificate with key to be installed on the end device (instead of the CSR being generated on the device and then signed, and the public key being installed on the portal, which is the right way… hopefully I can get that, but the toughest part is generating certificates on phones, have to learn each devices OS on how to do it)<\/p>\n
On the PA Device, Certs, Generate<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/18UDONd.png\")
<\/a><\/p>\n*NOTE* I noticed that with the latest Chrome that when you attempt to export any certificate it just seems to refresh the page, sadly the only work around I have is to use IE… Ugh….<\/p>\n
Open the CSR in Notepad, navigate to your Sub CA’s certificate signing page, sign the certificate.<\/p>\n
<\/span>*Secrete enable remote management on IIS Core*<\/span><\/h3>\nlol, I was wondering why i couldn’t see my Template in the web interface, so I looked up my own very old blog post (3rd one I believe) and I realized I forgot to publish it, like I did the Authentication Session Template. Durrrr, then it kept complaining about https for cert destro (makes sense) but since I had a core subca, I couldn’t connect to the IIS remotely, then I found this<\/a>, saved my bacon, and followed this to enable HTTPS<\/a>, Then finally…<\/p>\n![\"\"](\"https:\/\/i.imgur.com\/q7PBqCa.png\")
<\/a><\/p>\nthen Import it on to the Firewall,<\/p>\n
![\"\"](\"https:\/\/i.imgur.com\/tBZbOPF.png\")
<\/a><\/p>\nit should look like this<\/p>\n
<\/a><\/p>\n<\/span>Step 2) Generating a CSR<\/span><\/h2>\nGenerate a a Sub CA Key for the PA to handle the Gateway certs, afterwards generate a Gateway certificate as well.<\/p>\n
Click generate:<\/p>\n
<\/a><\/p>\nClick Generate<\/p>\n
<\/a><\/p>\nexport the CSR, for some reason the latest Chrome causes a constant refresh, argggg had to export the CSR via IE, gross….<\/p>\n
Navigate to your CA’s signing Web page (the Sub CA in this case), open the CSR in notepad and paste the results, and select Sub CA for the template:<\/p>\n
<\/a><\/p>\nThen save as Base64 type cert, and import back into the PA firewall, if successful will look like this:<\/p>\n
<\/a><\/p>\nAlso import Offline-root-ca cert to complete the chain<\/p>\n
<\/a><\/p>\n<\/span>Step 3) Certificate Profiles<\/span><\/h2>\nAlright time for Certificate Profiles<\/p>\n
<\/a><\/p>\nAdd all the Certs<\/p>\n
<\/span>Step 4) SSL\/TLS Profiles<\/span><\/h2>\nCreate a SSL\/TLS Profile:<\/p>\n
Name it whatever, pick TLS 1.2 as min and max, and select the PA Sub CA we created earlier.<\/p>\n
<\/span>Step 5) Create User Certificate<\/span><\/h2>\n<\/span>Step 5.1) Create Template on CA<\/span><\/h3>\n<\/a><\/p>\n<\/a><\/p>\nThen under Cert Templates, right click it, and duplicate<\/p>\n
<\/a><\/p>\n5 Years, i don’t like doing this often<\/p>\n
<\/a><\/p>\nSignature and encryption, check off include symmetric allowed by subject, min key size of 2048 and key is exportable<\/p>\n
<\/a><\/p>\nAlong with the default, check off MS RSA and AES, and RSA SChannel<\/p>\n
<\/a><\/p>\nSubject Name, Supply in the Request, it will complain about the security risk, accept them. (Normally you’d create the certificates at the client machines, but in this case I am doint it the “wrong way” by having a global user certificate)<\/p>\n
<\/a><\/p>\n<\/a><\/p>\nClick Apply.<\/p>\n
If you require additional permissions apply them now, by default domain admins have full control, and domain users have enroll rights.<\/p>\n
<\/span>Step 5.2) Generate User CSR<\/span><\/h3>\nWith the Template configured, lets create the User Cert for the VPN, in this case we generate the CSR on the PA, but since we made the key exportable, we can export the certificate with key to be installed on the end device (instead of the CSR being generated on the device and then signed, and the public key being installed on the portal, which is the right way… hopefully I can get that, but the toughest part is generating certificates on phones, have to learn each devices OS on how to do it)<\/p>\n
On the PA Device, Certs, Generate<\/p>\n
<\/a><\/p>\n*NOTE* I noticed that with the latest Chrome that when you attempt to export any certificate it just seems to refresh the page, sadly the only work around I have is to use IE… Ugh….<\/p>\n
Open the CSR in Notepad, navigate to your Sub CA’s certificate signing page, sign the certificate.<\/p>\n
<\/span>*Secrete enable remote management on IIS Core*<\/span><\/h3>\nlol, I was wondering why i couldn’t see my Template in the web interface, so I looked up my own very old blog post (3rd one I believe) and I realized I forgot to publish it, like I did the Authentication Session Template. Durrrr, then it kept complaining about https for cert destro (makes sense) but since I had a core subca, I couldn’t connect to the IIS remotely, then I found this<\/a>, saved my bacon, and followed this to enable HTTPS<\/a>, Then finally…<\/p>\n<\/a><\/p>\nthen Import it on to the Firewall,<\/p>\n
<\/a><\/p>\nit should look like this<\/p>\n
<\/a><\/p>\nClick Generate<\/p>\n
export the CSR, for some reason the latest Chrome causes a constant refresh, argggg had to export the CSR via IE, gross….<\/p>\n Navigate to your CA’s signing Web page (the Sub CA in this case), open the CSR in notepad and paste the results, and select Sub CA for the template:<\/p>\n Then save as Base64 type cert, and import back into the PA firewall, if successful will look like this:<\/p>\n Also import Offline-root-ca cert to complete the chain<\/p>\n Alright time for Certificate Profiles<\/p>\n Add all the Certs<\/p>\n Create a SSL\/TLS Profile:<\/p>\n Name it whatever, pick TLS 1.2 as min and max, and select the PA Sub CA we created earlier.<\/p>\n Then under Cert Templates, right click it, and duplicate<\/p>\n 5 Years, i don’t like doing this often<\/p>\n Signature and encryption, check off include symmetric allowed by subject, min key size of 2048 and key is exportable<\/p>\n Along with the default, check off MS RSA and AES, and RSA SChannel<\/p>\n Subject Name, Supply in the Request, it will complain about the security risk, accept them. (Normally you’d create the certificates at the client machines, but in this case I am doint it the “wrong way” by having a global user certificate)<\/p>\n Click Apply.<\/p>\n If you require additional permissions apply them now, by default domain admins have full control, and domain users have enroll rights.<\/p>\n With the Template configured, lets create the User Cert for the VPN, in this case we generate the CSR on the PA, but since we made the key exportable, we can export the certificate with key to be installed on the end device (instead of the CSR being generated on the device and then signed, and the public key being installed on the portal, which is the right way… hopefully I can get that, but the toughest part is generating certificates on phones, have to learn each devices OS on how to do it)<\/p>\n On the PA Device, Certs, Generate<\/p>\n *NOTE* I noticed that with the latest Chrome that when you attempt to export any certificate it just seems to refresh the page, sadly the only work around I have is to use IE… Ugh….<\/p>\n Open the CSR in Notepad, navigate to your Sub CA’s certificate signing page, sign the certificate.<\/p>\n lol, I was wondering why i couldn’t see my Template in the web interface, so I looked up my own very old blog post (3rd one I believe) and I realized I forgot to publish it, like I did the Authentication Session Template. Durrrr, then it kept complaining about https for cert destro (makes sense) but since I had a core subca, I couldn’t connect to the IIS remotely, then I found this<\/a>, saved my bacon, and followed this to enable HTTPS<\/a>, Then finally…<\/p>\n then Import it on to the Firewall,<\/p>\n it should look like this<\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/span>Step 3) Certificate Profiles<\/span><\/h2>\n
<\/a><\/p>\n<\/span>Step 4) SSL\/TLS Profiles<\/span><\/h2>\n
<\/span>Step 5) Create User Certificate<\/span><\/h2>\n
<\/span>Step 5.1) Create Template on CA<\/span><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/span>Step 5.2) Generate User CSR<\/span><\/h3>\n
<\/a><\/p>\n<\/span>*Secrete enable remote management on IIS Core*<\/span><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\n